Edit tour

Windows Analysis Report
mtuXDnH1Di.exe

Overview

General Information

Sample name:	mtuXDnH1Di.exe renamed because original name is a hash value
Original sample name:	475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a.exe
Analysis ID:	1488113
MD5:	e4b47c06b5eed80fb44cfea757525634
SHA1:	78b5133cd84e3d89ebca4b36f33273df6e70c3f4
SHA256:	475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a
Tags:	exe
Infos:

Detection

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Tries to resolve many domain names, but no domain seems valid

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Connects to many different domains

Contains capabilities to detect virtual machines

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to query network adapater information

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Executes massive DNS lookups (> 100)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

svchost.exe (PID: 7788 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Sgrmuserer.exe (PID: 7848 cmdline: C:\Windows\system32\Sgrmuserer.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 7916 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

mtuXDnH1Di.exe (PID: 7992 cmdline: "C:\Users\user\Desktop\mtuXDnH1Di.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)

qbf43feev7f7qnhdav.exe (PID: 8076 cmdline: "C:\whfkpbh\qbf43feev7f7qnhdav.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)

idtpqzltyfy.exe (PID: 1476 cmdline: "C:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)

svchost.exe (PID: 8032 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 8116 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 8000 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 8124 cmdline: C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

idtpqzltyfy.exe (PID: 7336 cmdline: C:\whfkpbh\idtpqzltyfy.exe MD5: E4B47C06B5EED80FB44CFEA757525634)

amdrhfskpcu.exe (PID: 7668 cmdline: wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)

idtpqzltyfy.exe (PID: 1840 cmdline: "c:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)

amdrhfskpcu.exe (PID: 916 cmdline: wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)

idtpqzltyfy.exe (PID: 4780 cmdline: "c:\whfkpbh\idtpqzltyfy.exe" MD5: E4B47C06B5EED80FB44CFEA757525634)

cleanup

Sigma Signatures

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 7788, ProcessName: svchost.exe

Snort Signatures

Suricata Signatures

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-08-05T16:32:24.185870+0200
SID:	2815568
Source Port:	50096
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 54.244.188.177 - Destination IP: 192.168.2.10

Timestamp:	2024-08-05T16:31:26.343740+0200
SID:	2037771
Source Port:	80
Destination Port:	49722
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 35.164.78.200 - Destination IP: 192.168.2.10

Timestamp:	2024-08-05T16:31:11.751114+0200
SID:	2037771
Source Port:	80
Destination Port:	49708
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 54.244.188.177 - Destination IP: 192.168.2.10

Timestamp:	2024-08-05T16:32:44.788310+0200
SID:	2037771
Source Port:	80
Destination Port:	50106
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 54.244.188.177

Timestamp:	2024-08-05T16:32:44.783451+0200
SID:	2815568
Source Port:	50106
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses - Source IP: 1.1.1.1 - Destination IP: 192.168.2.10

Timestamp:	2024-08-05T16:31:09.159317+0200
SID:	2018316
Source Port:	53
Destination Port:	64235
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 15.197.192.55

Timestamp:	2024-08-05T16:32:36.084346+0200
SID:	2815568
Source Port:	50100
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 64.190.63.222

Timestamp:	2024-08-05T16:31:25.243622+0200
SID:	2815568
Source Port:	49721
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 15.197.192.55

Timestamp:	2024-08-05T16:31:17.214399+0200
SID:	2815568
Source Port:	49711
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 188.225.40.227

Timestamp:	2024-08-05T16:31:31.936050+0200
SID:	2815568
Source Port:	49725
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 213.171.195.105

Timestamp:	2024-08-05T16:31:24.427024+0200
SID:	2815568
Source Port:	49720
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 54.244.188.177

Timestamp:	2024-08-05T16:31:26.338291+0200
SID:	2815568
Source Port:	49722
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 35.164.78.200

Timestamp:	2024-08-05T16:31:11.746217+0200
SID:	2815568
Source Port:	49708
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 34.246.200.160

Timestamp:	2024-08-05T16:31:13.938330+0200
SID:	2815568
Source Port:	49709
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 35.164.78.200

Timestamp:	2024-08-05T16:32:28.649939+0200
SID:	2815568
Source Port:	50097
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses - Source IP: 1.1.1.1 - Destination IP: 192.168.2.10

Timestamp:	2024-08-05T16:31:11.758243+0200
SID:	2018316
Source Port:	53
Destination Port:	54120
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net) - Source IP: 1.1.1.1 - Destination IP: 192.168.2.10

Timestamp:	2024-08-05T16:31:11.985924+0200
SID:	2811542
Source Port:	53
Destination Port:	55555
Protocol:	UDP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-08-05T16:32:39.692818+0200
SID:	2815568
Source Port:	50102
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 170.187.200.48

Timestamp:	2024-08-05T16:31:23.484957+0200
SID:	2815568
Source Port:	49719
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 15.197.142.173

Timestamp:	2024-08-05T16:32:34.076197+0200
SID:	2815568
Source Port:	50099
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 81.169.145.88

Timestamp:	2024-08-05T16:31:27.951432+0200
SID:	2815568
Source Port:	49723
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 85.13.130.3

Timestamp:	2024-08-05T16:32:39.216523+0200
SID:	2815568
Source Port:	50101
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 3.33.130.190

Timestamp:	2024-08-05T16:31:08.013716+0200
SID:	2815568
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 64.190.63.222

Timestamp:	2024-08-05T16:32:43.907528+0200
SID:	2815568
Source Port:	50105
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst - Source IP: 34.246.200.160 - Destination IP: 192.168.2.10

Timestamp:	2024-08-05T16:31:13.946127+0200
SID:	2037771
Source Port:	80
Destination Port:	49709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort - Source IP: 192.168.2.10 - Destination IP: 34.246.200.160

Timestamp:	2024-08-05T16:32:32.049198+0200
SID:	2815568
Source Port:	50098
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mtuXDnH1Di.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\whfkpbh\idtpqzltyfy.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\whfkpbh\amdrhfskpcu.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Avira: detection malicious, Label: TR/Nivdort.Gen2

Multi AV Scanner detection for dropped file

Source: C:\whfkpbh\amdrhfskpcu.exe	ReversingLabs: Detection: 92%
Source: C:\whfkpbh\idtpqzltyfy.exe	ReversingLabs: Detection: 92%
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: mtuXDnH1Di.exe

ReversingLabs: Detection: 92%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\whfkpbh\idtpqzltyfy.exe	Joe Sandbox ML: detected
Source: C:\whfkpbh\amdrhfskpcu.exe	Joe Sandbox ML: detected
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: mtuXDnH1Di.exe

Joe Sandbox ML: detected

Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BB0920 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		6_2_00BB0920
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AB0920 GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptGenRandom,		9_2_00AB0920

Source: mtuXDnH1Di.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: mtuXDnH1Di.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00619580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00619580
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00BC9580
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_00AC9580
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00859580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00859580
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	11_2_00AC9580
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00309580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00309580

Networking

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: smokesystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadylaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanconsider.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshconsider.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanfancy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadybranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womannorth.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginlaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberlaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadysystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemansystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencequarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencereceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberfancy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokegeneral.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokequarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experienceconsider.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summersystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partysystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partybranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencefriend.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownlaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberconsider.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightnorth.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightinclude.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightgeneral.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experienceneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadytrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshsystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginfancy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fighttrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokebelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencebelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencebranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokenorth.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdsystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokehonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followsystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womantrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: watertrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokeneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadybelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencesystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knowntrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyfancy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokereceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyinclude.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summertrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partytrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fighthonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: begintrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshlaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokeclear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followlaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughtneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyconsider.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smoketrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemantrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partynorth.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshfriend.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womangeneral.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokeinclude.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followfancy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followtrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womaninclude.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womanbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followconsider.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyclear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: waterhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencetrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughttrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: knownsystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: thoughthonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightclear.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginsystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: fightbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencelaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencehonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshtrust.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: experiencefancy.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberfriend.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanfriend.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: freshbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: womansystem.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: followquarter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: smokebranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanreceive.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyneither.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: beginbranch.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: memberhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: summerbelieve.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: alreadyhonor.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: gentlemanlaughter.net replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: partyneither.net replaycode: Name error (3)

Source: unknown

Network traffic detected: DNS query count 170

Source: global traffic

DNS traffic detected: number of DNS queries: 170

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partygeneral.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: memberreceive.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtbranch.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanbelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partybelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membertrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdtrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtsystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: watersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanhonor.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: freshfancy.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: alreadyfriend.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: followfriend.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partygeneral.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: memberreceive.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtbranch.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanbelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partybelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membertrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdtrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtsystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: watersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanhonor.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: freshfancy.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: alreadyfriend.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: followfriend.net

Source: Joe Sandbox View	IP Address: 188.225.40.227 188.225.40.227
Source: Joe Sandbox View	IP Address: 34.246.200.160 34.246.200.160

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_00610D80 socket,setsockopt,gethostbyname,inet_ntoa,inet_addr,htons,connect,send,recv,recv,closesocket,

4_2_00610D80

Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partygeneral.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: memberreceive.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtbranch.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanbelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partybelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membertrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdtrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtsystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: watersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanhonor.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: freshfancy.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: alreadyfriend.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: followfriend.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partygeneral.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: memberreceive.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtbranch.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanbelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: partybelieve.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: membertrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: crowdtrust.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: thoughtsystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: watersystem.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: womanhonor.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: freshfancy.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: alreadyfriend.net
Source: global traffic	HTTP traffic detected: GET /index.php HTTP/1.0Accept: /Connection: closeHost: followfriend.net

Source: global traffic	DNS traffic detected: DNS query: smokeclear.net
Source: global traffic	DNS traffic detected: DNS query: womangeneral.net
Source: global traffic	DNS traffic detected: DNS query: smokegeneral.net
Source: global traffic	DNS traffic detected: DNS query: womaninclude.net
Source: global traffic	DNS traffic detected: DNS query: smokeinclude.net
Source: global traffic	DNS traffic detected: DNS query: womannorth.net
Source: global traffic	DNS traffic detected: DNS query: smokenorth.net
Source: global traffic	DNS traffic detected: DNS query: partyclear.net
Source: global traffic	DNS traffic detected: DNS query: fightclear.net
Source: global traffic	DNS traffic detected: DNS query: partygeneral.net
Source: global traffic	DNS traffic detected: DNS query: fightgeneral.net
Source: global traffic	DNS traffic detected: DNS query: partyinclude.net
Source: global traffic	DNS traffic detected: DNS query: fightinclude.net
Source: global traffic	DNS traffic detected: DNS query: partynorth.net
Source: global traffic	DNS traffic detected: DNS query: fightnorth.net
Source: global traffic	DNS traffic detected: DNS query: freshbranch.net
Source: global traffic	DNS traffic detected: DNS query: experiencebranch.net
Source: global traffic	DNS traffic detected: DNS query: freshbelieve.net
Source: global traffic	DNS traffic detected: DNS query: experiencebelieve.net
Source: global traffic	DNS traffic detected: DNS query: freshreceive.net
Source: global traffic	DNS traffic detected: DNS query: experiencereceive.net
Source: global traffic	DNS traffic detected: DNS query: freshquarter.net
Source: global traffic	DNS traffic detected: DNS query: experiencequarter.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanbranch.net
Source: global traffic	DNS traffic detected: DNS query: alreadybranch.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanbelieve.net
Source: global traffic	DNS traffic detected: DNS query: alreadybelieve.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanreceive.net
Source: global traffic	DNS traffic detected: DNS query: alreadyreceive.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanquarter.net
Source: global traffic	DNS traffic detected: DNS query: alreadyquarter.net
Source: global traffic	DNS traffic detected: DNS query: followbranch.net
Source: global traffic	DNS traffic detected: DNS query: memberbranch.net
Source: global traffic	DNS traffic detected: DNS query: followbelieve.net
Source: global traffic	DNS traffic detected: DNS query: memberbelieve.net
Source: global traffic	DNS traffic detected: DNS query: followreceive.net
Source: global traffic	DNS traffic detected: DNS query: memberreceive.net
Source: global traffic	DNS traffic detected: DNS query: followquarter.net
Source: global traffic	DNS traffic detected: DNS query: memberquarter.net
Source: global traffic	DNS traffic detected: DNS query: beginbranch.net
Source: global traffic	DNS traffic detected: DNS query: knownbranch.net
Source: global traffic	DNS traffic detected: DNS query: beginbelieve.net
Source: global traffic	DNS traffic detected: DNS query: knownbelieve.net
Source: global traffic	DNS traffic detected: DNS query: beginreceive.net
Source: global traffic	DNS traffic detected: DNS query: knownreceive.net
Source: global traffic	DNS traffic detected: DNS query: beginquarter.net
Source: global traffic	DNS traffic detected: DNS query: knownquarter.net
Source: global traffic	DNS traffic detected: DNS query: summerbranch.net
Source: global traffic	DNS traffic detected: DNS query: crowdbranch.net
Source: global traffic	DNS traffic detected: DNS query: summerbelieve.net
Source: global traffic	DNS traffic detected: DNS query: crowdbelieve.net
Source: global traffic	DNS traffic detected: DNS query: summerreceive.net
Source: global traffic	DNS traffic detected: DNS query: crowdreceive.net
Source: global traffic	DNS traffic detected: DNS query: summerquarter.net
Source: global traffic	DNS traffic detected: DNS query: crowdquarter.net
Source: global traffic	DNS traffic detected: DNS query: thoughtbranch.net
Source: global traffic	DNS traffic detected: DNS query: waterbranch.net
Source: global traffic	DNS traffic detected: DNS query: thoughtbelieve.net
Source: global traffic	DNS traffic detected: DNS query: waterbelieve.net
Source: global traffic	DNS traffic detected: DNS query: thoughtreceive.net
Source: global traffic	DNS traffic detected: DNS query: waterreceive.net
Source: global traffic	DNS traffic detected: DNS query: thoughtquarter.net
Source: global traffic	DNS traffic detected: DNS query: waterquarter.net
Source: global traffic	DNS traffic detected: DNS query: womanbranch.net
Source: global traffic	DNS traffic detected: DNS query: smokebranch.net
Source: global traffic	DNS traffic detected: DNS query: womanbelieve.net
Source: global traffic	DNS traffic detected: DNS query: smokebelieve.net
Source: global traffic	DNS traffic detected: DNS query: womanreceive.net
Source: global traffic	DNS traffic detected: DNS query: smokereceive.net
Source: global traffic	DNS traffic detected: DNS query: womanquarter.net
Source: global traffic	DNS traffic detected: DNS query: smokequarter.net
Source: global traffic	DNS traffic detected: DNS query: partybranch.net
Source: global traffic	DNS traffic detected: DNS query: fightbranch.net
Source: global traffic	DNS traffic detected: DNS query: partybelieve.net
Source: global traffic	DNS traffic detected: DNS query: fightbelieve.net
Source: global traffic	DNS traffic detected: DNS query: partyreceive.net
Source: global traffic	DNS traffic detected: DNS query: fightreceive.net
Source: global traffic	DNS traffic detected: DNS query: partyquarter.net
Source: global traffic	DNS traffic detected: DNS query: fightquarter.net
Source: global traffic	DNS traffic detected: DNS query: freshhonor.net
Source: global traffic	DNS traffic detected: DNS query: experiencehonor.net
Source: global traffic	DNS traffic detected: DNS query: freshneither.net
Source: global traffic	DNS traffic detected: DNS query: experienceneither.net
Source: global traffic	DNS traffic detected: DNS query: freshsystem.net
Source: global traffic	DNS traffic detected: DNS query: experiencesystem.net
Source: global traffic	DNS traffic detected: DNS query: freshtrust.net
Source: global traffic	DNS traffic detected: DNS query: experiencetrust.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanhonor.net
Source: global traffic	DNS traffic detected: DNS query: alreadyhonor.net
Source: global traffic	DNS traffic detected: DNS query: gentlemanneither.net
Source: global traffic	DNS traffic detected: DNS query: alreadyneither.net
Source: global traffic	DNS traffic detected: DNS query: gentlemansystem.net
Source: global traffic	DNS traffic detected: DNS query: alreadysystem.net
Source: global traffic	DNS traffic detected: DNS query: gentlemantrust.net
Source: global traffic	DNS traffic detected: DNS query: alreadytrust.net
Source: global traffic	DNS traffic detected: DNS query: followhonor.net
Source: global traffic	DNS traffic detected: DNS query: memberhonor.net
Source: global traffic	DNS traffic detected: DNS query: followneither.net
Source: global traffic	DNS traffic detected: DNS query: memberneither.net
Source: global traffic	DNS traffic detected: DNS query: followsystem.net

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 05 Aug 2024 14:31:15 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 14:31:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 14:31:27 GMTServer: Apache/2.4.61 (Unix)Content-Length: 196Content-Type: text/html; charset=iso-8859-1Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 05 Aug 2024 14:32:34 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 05 Aug 2024 14:32:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddencontent-length: 93cache-control: no-cachecontent-type: text/htmlconnection: closeData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 05 Aug 2024 14:32:46 GMTServer: Apache/2.4.61 (Unix)Content-Length: 196Content-Type: text/html; charset=iso-8859-1Connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Source: svchost.exe, 00000008.00000002.3125275726.000001F92F887000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3125642231.000001F930118000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.dr	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: svchost.exe, 00000000.00000002.1364443406.0000023818E13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000000.00000002.1364587204.0000023818E59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364670137.0000023818E81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364552805.0000023818E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363575259.0000023818E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363538945.0000023818E5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1364638408.0000023818E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363043255.0000023818E67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1362841900.0000023818E85000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364690063.0000023818E87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363538945.0000023818E5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1364638408.0000023818E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363043255.0000023818E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364469160.0000023818E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364528459.0000023818E3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1364528459.0000023818E3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 00000000.00000003.1363636604.0000023818E31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363554004.0000023818E4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000002.1364528459.0000023818E3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1364552805.0000023818E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363575259.0000023818E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1363469186.0000023818E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364638408.0000023818E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363043255.0000023818E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364469160.0000023818E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fasthosts.co.uk/
Source: idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000009.00000002.2053122819.0000000001A6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084893409.0000000001A7D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://followfriend.net/index.php
Source: svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.sshP
Source: svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualea
Source: svchost.exe, 00000000.00000003.1363575259.0000023818E43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1363554004.0000023818E4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1363554004.0000023818E4B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1363469186.0000023818E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364469160.0000023818E2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000002.1364587204.0000023818E59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000009.00000002.2053122819.0000000001A6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084893409.0000000001A7D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par
Source: idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/domain-names/search/?domain=$
Source: idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_
Source: idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-199510482-1

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	File created: C:\Windows\whfkpbh\	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	File created: C:\Windows\whfkpbh\euwvjohdxkkj	Jump to behavior

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

File deleted: C:\Windows\whfkpbh\euwvjohdxkkj

Jump to behavior

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_005F7A04	4_2_005F7A04
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00605200	4_2_00605200
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_006030F0	4_2_006030F0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0060A0A6	4_2_0060A0A6
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_005F1490	4_2_005F1490
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0060F160	4_2_0060F160
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_005FE550	4_2_005FE550
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0060A930	4_2_0060A930
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00625930	4_2_00625930
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_006155E0	4_2_006155E0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0060E1C0	4_2_0060E1C0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00610D80	4_2_00610D80
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00616A7B	4_2_00616A7B
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00620220	4_2_00620220
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00614EA0	4_2_00614EA0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_006122A0	4_2_006122A0
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00620A90	4_2_00620A90
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_005FD760	4_2_005FD760
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00619B00	4_2_00619B00
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0061E70B	4_2_0061E70B
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_005FF330	4_2_005FF330
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_006097B0	4_2_006097B0
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BBA930	6_2_00BBA930
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BB5200	6_2_00BB5200
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BA7A04	6_2_00BA7A04
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC9B00	6_2_00BC9B00
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BBA0A6	6_2_00BBA0A6
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BA1490	6_2_00BA1490
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BB30F0	6_2_00BB30F0
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC0D80	6_2_00BC0D80
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC55E0	6_2_00BC55E0
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BBE1C0	6_2_00BBE1C0
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BD5930	6_2_00BD5930
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BBF160	6_2_00BBF160
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BAE550	6_2_00BAE550
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC4EA0	6_2_00BC4EA0
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC22A0	6_2_00BC22A0
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BD0A90	6_2_00BD0A90
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC66EA	6_2_00BC66EA
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BD0220	6_2_00BD0220
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC6A7B	6_2_00BC6A7B
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BB97B0	6_2_00BB97B0
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BAF330	6_2_00BAF330
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BCE70B	6_2_00BCE70B
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BAD760	6_2_00BAD760
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC0D80	9_2_00AC0D80
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ABA930	9_2_00ABA930
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC22A0	9_2_00AC22A0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AB5200	9_2_00AB5200
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AA7A04	9_2_00AA7A04
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC9B00	9_2_00AC9B00
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ABA0A6	9_2_00ABA0A6
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AA1490	9_2_00AA1490
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AB30F0	9_2_00AB30F0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC55E0	9_2_00AC55E0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ABE1C0	9_2_00ABE1C0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AD5930	9_2_00AD5930
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ABF160	9_2_00ABF160
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AAE550	9_2_00AAE550
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC4EA0	9_2_00AC4EA0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AD0A90	9_2_00AD0A90
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC66E7	9_2_00AC66E7
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AD0220	9_2_00AD0220
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC6A7B	9_2_00AC6A7B
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AB97B0	9_2_00AB97B0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ACE726	9_2_00ACE726
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AAF330	9_2_00AAF330
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AAD760	9_2_00AAD760
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00845200	10_2_00845200
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00837A04	10_2_00837A04
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00831490	10_2_00831490
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0084A0A6	10_2_0084A0A6
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_008430F0	10_2_008430F0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00850D80	10_2_00850D80
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0084E1C0	10_2_0084E1C0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_008555E0	10_2_008555E0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0084A930	10_2_0084A930
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00865930	10_2_00865930
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0083E550	10_2_0083E550
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0084F160	10_2_0084F160
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00860A90	10_2_00860A90
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00854EA0	10_2_00854EA0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_008522A0	10_2_008522A0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_008566E7	10_2_008566E7
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00860220	10_2_00860220
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00856A7B	10_2_00856A7B
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_008497B0	10_2_008497B0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00859B00	10_2_00859B00
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0085E70C	10_2_0085E70C
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0083F330	10_2_0083F330
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0083D760	10_2_0083D760
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AB5200	11_2_00AB5200
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AA7A04	11_2_00AA7A04
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ABA0A6	11_2_00ABA0A6
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AA1490	11_2_00AA1490
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AB30F0	11_2_00AB30F0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC0D80	11_2_00AC0D80
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC55E0	11_2_00AC55E0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ABE1C0	11_2_00ABE1C0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ABA930	11_2_00ABA930
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AD5930	11_2_00AD5930
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ABF160	11_2_00ABF160
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AAE550	11_2_00AAE550
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC4EA0	11_2_00AC4EA0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC22A0	11_2_00AC22A0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AD0A90	11_2_00AD0A90
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC66E7	11_2_00AC66E7
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AD0220	11_2_00AD0220
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC6A7B	11_2_00AC6A7B
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AB97B0	11_2_00AB97B0
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ACE726	11_2_00ACE726
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AAF330	11_2_00AAF330
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC9B00	11_2_00AC9B00
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AAD760	11_2_00AAD760
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002E7A04	16_2_002E7A04
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002F5200	16_2_002F5200
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002FA0A6	16_2_002FA0A6
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002E1490	16_2_002E1490
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002F30F0	16_2_002F30F0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00315930	16_2_00315930
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002FA930	16_2_002FA930
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002FF160	16_2_002FF160
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002EE550	16_2_002EE550
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00300D80	16_2_00300D80
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_003055E0	16_2_003055E0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002FE1C0	16_2_002FE1C0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00310220	16_2_00310220
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00306A7B	16_2_00306A7B
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00304EA0	16_2_00304EA0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_003022A0	16_2_003022A0
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00310A90	16_2_00310A90
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002EF330	16_2_002EF330
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00309B00	16_2_00309B00
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_0030E70B	16_2_0030E70B
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002ED760	16_2_002ED760
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002F97B0	16_2_002F97B0

Source: mtuXDnH1Di.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal96.troj.evad.winEXE@23/7@328/12

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	4_2_00600500
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	6_2_00BB0500
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	9_2_00AB0500
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	10_2_00840500
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	11_2_00AB0500
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,	16_2_002F0500

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_00602120 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_00602120

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_00600500 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

4_2_00600500

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_005FC660 StartServiceCtrlDispatcherA,	4_2_005FC660
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BAC660 StartServiceCtrlDispatcherA,	6_2_00BAC660
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AAC660 StartServiceCtrlDispatcherA,	9_2_00AAC660
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0083C660 StartServiceCtrlDispatcherA,	10_2_0083C660
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AAC660 StartServiceCtrlDispatcherA,	11_2_00AAC660
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_002EC660 StartServiceCtrlDispatcherA,	16_2_002EC660

Source: C:\whfkpbh\idtpqzltyfy.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3480:120:WilError_03

Source: mtuXDnH1Di.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: mtuXDnH1Di.exe

ReversingLabs: Detection: 92%

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

File read: C:\Users\user\Desktop\mtuXDnH1Di.exe

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\Sgrmuserer.exe C:\Windows\system32\Sgrmuserer.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Users\user\Desktop\mtuXDnH1Di.exe "C:\Users\user\Desktop\mtuXDnH1Di.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Process created: C:\whfkpbh\qbf43feev7f7qnhdav.exe "C:\whfkpbh\qbf43feev7f7qnhdav.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\whfkpbh\idtpqzltyfy.exe C:\whfkpbh\idtpqzltyfy.exe
Source: C:\whfkpbh\idtpqzltyfy.exe	Process created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Process created: C:\whfkpbh\idtpqzltyfy.exe "C:\whfkpbh\idtpqzltyfy.exe"
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\whfkpbh\amdrhfskpcu.exe	Process created: C:\whfkpbh\idtpqzltyfy.exe "c:\whfkpbh\idtpqzltyfy.exe"
Source: C:\whfkpbh\idtpqzltyfy.exe	Process created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
Source: C:\whfkpbh\amdrhfskpcu.exe	Process created: C:\whfkpbh\idtpqzltyfy.exe "c:\whfkpbh\idtpqzltyfy.exe"
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Process created: C:\whfkpbh\qbf43feev7f7qnhdav.exe "C:\whfkpbh\qbf43feev7f7qnhdav.exe"	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Process created: C:\whfkpbh\idtpqzltyfy.exe "C:\whfkpbh\idtpqzltyfy.exe"	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Process created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	Process created: C:\whfkpbh\idtpqzltyfy.exe "c:\whfkpbh\idtpqzltyfy.exe"	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Process created: C:\whfkpbh\amdrhfskpcu.exe wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	Process created: C:\whfkpbh\idtpqzltyfy.exe "c:\whfkpbh\idtpqzltyfy.exe"	Jump to behavior

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsusererclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: mtuXDnH1Di.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_0060A930 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

4_2_0060A930

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0061E45B push 00000003h; iretd	4_2_0061E45F
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0061CE6A pushad ; ret	4_2_0061CE6B
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_0061CE6F pushad ; ret	4_2_0061CE70
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BCE45B push 00000003h; iretd	6_2_00BCE45F
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BCCE6F pushad ; ret	6_2_00BCCE70
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ACE45B push 00000003h; iretd	9_2_00ACE45F
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ACCE6F pushad ; ret	9_2_00ACCE70
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00ACCE6A pushad ; ret	9_2_00ACCE6B
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0085E45B push 00000003h; iretd	10_2_0085E45F
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0085CE6F pushad ; ret	10_2_0085CE70
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_0085CE6A pushad ; ret	10_2_0085CE6B
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ACE45B push 00000003h; iretd	11_2_00ACE45F
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ACCE6F pushad ; ret	11_2_00ACCE70
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00ACCE6A pushad ; ret	11_2_00ACCE6B
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_0030E45B push 00000003h; iretd	16_2_0030E45F
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_0030CE6A pushad ; ret	16_2_0030CE6B
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_0030CE6F pushad ; ret	16_2_0030CE70

Source: mtuXDnH1Di.exe	Static PE information: section name: .text entropy: 6.86562473291782
Source: qbf43feev7f7qnhdav.exe.4.dr	Static PE information: section name: .text entropy: 6.86562473291782
Source: idtpqzltyfy.exe.6.dr	Static PE information: section name: .text entropy: 6.86562473291782
Source: amdrhfskpcu.exe.9.dr	Static PE information: section name: .text entropy: 6.86562473291782

Source: C:\whfkpbh\idtpqzltyfy.exe	File created: C:\whfkpbh\amdrhfskpcu.exe	Jump to dropped file
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	File created: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Jump to dropped file
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	File created: C:\whfkpbh\idtpqzltyfy.exe	Jump to dropped file

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_00600500 OpenSCManagerA,CreateServiceA,ChangeServiceConfig2A,StartServiceA,CloseServiceHandle,OpenServiceA,StartServiceA,CloseServiceHandle,CloseServiceHandle,

4_2_00600500

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	4_2_005FAF20
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	6_2_00BAAF20
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	9_2_00AAAF20
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	10_2_0083AF20
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	11_2_00AAAF20
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: OpenSCManagerA,EnumServicesStatusA,GetLastError,EnumServicesStatusA,CloseServiceHandle,	16_2_002EAF20

Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,RtlAllocateHeap,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		6_2_00BBA930
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,HeapAlloc,FreeLibrary,GetAdaptersInfo,HeapFree,FreeLibrary,		9_2_00ABA930

Source: C:\whfkpbh\amdrhfskpcu.exe	Window / User API: threadDelayed 636	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	Window / User API: threadDelayed 1238	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	Window / User API: threadDelayed 644	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe	Window / User API: threadDelayed 1232	Jump to behavior

Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_6-11340
Source: C:\whfkpbh\amdrhfskpcu.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_10-11333
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_4-11057
Source: C:\whfkpbh\idtpqzltyfy.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_9-11283

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_4-9681
Source: C:\whfkpbh\idtpqzltyfy.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_9-9923
Source: C:\whfkpbh\amdrhfskpcu.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_10-9783
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes	graph_6-11440

Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7676	Thread sleep count: 636 > 30	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7676	Thread sleep time: -636000s >= -30000s	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7676	Thread sleep count: 1238 > 30	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 7676	Thread sleep time: -1238000s >= -30000s	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe TID: 760	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe TID: 760	Thread sleep time: -50000s >= -30000s	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 3096	Thread sleep count: 644 > 30	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 3096	Thread sleep time: -644000s >= -30000s	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 3096	Thread sleep count: 1232 > 30	Jump to behavior
Source: C:\whfkpbh\amdrhfskpcu.exe TID: 3096	Thread sleep time: -1232000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\whfkpbh\idtpqzltyfy.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\whfkpbh\idtpqzltyfy.exe	Last function: Thread delayed

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	Code function: 4_2_00619580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	4_2_00619580
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	Code function: 6_2_00BC9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	6_2_00BC9580
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 9_2_00AC9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	9_2_00AC9580
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 10_2_00859580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	10_2_00859580
Source: C:\whfkpbh\idtpqzltyfy.exe	Code function: 11_2_00AC9580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	11_2_00AC9580
Source: C:\whfkpbh\amdrhfskpcu.exe	Code function: 16_2_00309580 Sleep,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,	16_2_00309580

Source: C:\whfkpbh\idtpqzltyfy.exe	Thread delayed: delay time: 50000			Jump to behavior
Source: C:\whfkpbh\idtpqzltyfy.exe	Thread delayed: delay time: 50000			Jump to behavior

Source: svchost.exe, 00000005.00000002.3125308570.000001AA45C70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: svchost.exe, 00000005.00000002.3125420724.000001AA45C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3125181211.000001AA45C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3125420724.000001AA45C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: "@\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3125308570.000001AA45C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000005.00000002.3124989839.000001AA45C00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.3125308570.000001AA45C70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 00000005.00000002.3125420724.000001AA45C90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3125095502.000001AA45C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3125420724.000001AA45C8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: idtpqzltyfy.exe, 0000000F.00000002.3084792156.0000000000FE7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
Source: qbf43feev7f7qnhdav.exe, 00000006.00000002.1306359971.0000000000A8E000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FAA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	API call chain: ExitProcess graph end node	graph_4-9299
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	API call chain: ExitProcess graph end node	graph_4-9326
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	API call chain: ExitProcess graph end node	graph_4-9667
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	API call chain: ExitProcess graph end node	graph_4-9307
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	API call chain: ExitProcess graph end node	graph_4-9250
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	API call chain: ExitProcess graph end node	graph_4-9265
Source: C:\Users\user\Desktop\mtuXDnH1Di.exe	API call chain: ExitProcess graph end node	graph_4-9112
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	API call chain: ExitProcess graph end node	graph_6-9605
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	API call chain: ExitProcess graph end node	graph_6-9588
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	API call chain: ExitProcess graph end node	graph_6-9620
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	API call chain: ExitProcess graph end node	graph_6-9567
Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe	API call chain: ExitProcess graph end node	graph_6-9414
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9533
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9509
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9313
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9467
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9492
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9454
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9524
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_9-9442
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node	graph_10-9572
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node	graph_10-9598
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node	graph_10-9943
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node	graph_10-9536
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node	graph_10-9523
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node	graph_10-9555
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_11-9599
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_11-9606
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_11-9563
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_11-9579
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_11-9964
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_11-9622
Source: C:\whfkpbh\idtpqzltyfy.exe	API call chain: ExitProcess graph end node	graph_11-9408
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node
Source: C:\whfkpbh\amdrhfskpcu.exe	API call chain: ExitProcess graph end node

Source: C:\whfkpbh\idtpqzltyfy.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_0060A930 GetProcessHeap,LoadLibraryA,GetProcAddress,FreeLibrary,HeapAlloc,FreeLibrary,HeapFree,HeapAlloc,FreeLibrary,HeapFree,FreeLibrary,

4_2_0060A930

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_005FE2C0 GetProcessHeap,RtlAllocateHeap,

4_2_005FE2C0

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_005FB7A0 AllocateAndInitializeSid,CheckTokenMembership,

4_2_005FB7A0

Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_006250E0 GetSystemTime,GetTickCount,

4_2_006250E0

Source: C:\Users\user\Desktop\mtuXDnH1Di.exe

Code function: 4_2_00605200 GetVersionExA,CreateDirectoryA,DeleteFileA,RemoveDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,GetTempPathA,CreateDirectoryA,GetTempPathA,SetFileAttributesA,

4_2_00605200

Source: C:\whfkpbh\qbf43feev7f7qnhdav.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Jump to behavior

Source: svchost.exe, 00000007.00000002.3125991847.000001D44F702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.3125991847.000001D44F702000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	4 Windows Service	4 Windows Service	2 Obfuscated Files or Information	LSASS Memory	1 System Service Discovery	Remote Desktop Protocol	Data from Removable Media	2 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	Logon Script (Windows)	1 Process Injection	1 Software Packing	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 File Deletion	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
mtuXDnH1Di.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
mtuXDnH1Di.exe	100%	Avira	TR/Nivdort.Gen2
mtuXDnH1Di.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\whfkpbh\idtpqzltyfy.exe	100%	Avira	TR/Nivdort.Gen2
C:\whfkpbh\amdrhfskpcu.exe	100%	Avira	TR/Nivdort.Gen2
C:\whfkpbh\qbf43feev7f7qnhdav.exe	100%	Avira	TR/Nivdort.Gen2
C:\whfkpbh\idtpqzltyfy.exe	100%	Joe Sandbox ML
C:\whfkpbh\amdrhfskpcu.exe	100%	Joe Sandbox ML
C:\whfkpbh\qbf43feev7f7qnhdav.exe	100%	Joe Sandbox ML
C:\whfkpbh\amdrhfskpcu.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\whfkpbh\idtpqzltyfy.exe	92%	ReversingLabs	Win32.Spyware.Nivdort
C:\whfkpbh\qbf43feev7f7qnhdav.exe	92%	ReversingLabs	Win32.Spyware.Nivdort

Source	Detection	Scanner	Label
https://dev.virtualearth.net/REST/v1/Locations	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/v1/Routes/Driving	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Transit/Stops/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Walking	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Routes/	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Transit/Stops/	0%	Avira URL Cloud	safe
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	0%	Avira URL Cloud	safe
https://www.fasthosts.co.uk/domain-names/search/?domain=$	0%	Avira URL Cloud	safe
http://standards.iso.org/iso/19770/-2/2009/schema.xsd	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/mapcontrol/logging.ashx	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://fasthosts.co.uk/	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	0%	Avira URL Cloud	safe
https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_	0%	Avira URL Cloud	safe
https://dynamic.t	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Routes/Transit	0%	Avira URL Cloud	safe
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	0%	Avira URL Cloud	safe
https://followfriend.net/index.php	0%	Avira URL Cloud	safe
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	0%	Avira URL Cloud	safe
https://t0.sshP	0%	Avira URL Cloud	safe
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=	0%	Avira URL Cloud	safe
http://www.bingmapsportal.com	0%	Avira URL Cloud	safe
https://dev.ditu.live.com/REST/v1/Locations	0%	Avira URL Cloud	safe
https://t0.ssl.ak.dynamic.tiles.virtualea	0%	Avira URL Cloud	safe
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par	0%	Avira URL Cloud	safe
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	0%	Avira URL Cloud	safe
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
crowdtrust.net	170.187.200.48	true	false	unknown
watersystem.net	64.190.63.222	true	false	unknown
thoughtsystem.net	213.171.195.105	true	false	unknown
membersystem.net	85.13.130.3	true	false	unknown
partygeneral.net	3.33.130.190	true	false	unknown
womanbelieve.net	15.197.142.173	true	false	unknown
womanhonor.net	54.244.188.177	true	false	unknown
membertrust.net	3.33.130.190	true	false	unknown
memberreceive.net	35.164.78.200	true	false	unknown
followfriend.net	188.225.40.227	true	false	unknown
partybelieve.net	15.197.192.55	true	false	unknown
freshfancy.net	81.169.145.88	true	false	unknown
alreadyfriend.net	15.197.192.55	true	false	unknown
thoughtbranch.net	34.246.200.160	true	false	unknown
beginhonor.net	unknown	unknown	true	unknown
memberlaughter.net	unknown	unknown	true	unknown
freshneither.net	unknown	unknown	true	unknown
thoughtneither.net	unknown	unknown	true	unknown
experiencefancy.net	unknown	unknown	true	unknown
followconsider.net	unknown	unknown	true	unknown
alreadyhonor.net	unknown	unknown	true	unknown
fighttrust.net	unknown	unknown	true	unknown
knownsystem.net	unknown	unknown	true	unknown
gentlemanhonor.net	unknown	unknown	true	unknown
memberfriend.net	unknown	unknown	true	unknown
freshtrust.net	unknown	unknown	true	unknown
experiencetrust.net	unknown	unknown	true	unknown
alreadybelieve.net	unknown	unknown	true	unknown
partyclear.net	unknown	unknown	true	unknown
waterquarter.net	unknown	unknown	true	unknown
fightbranch.net	unknown	unknown	true	unknown
knownlaughter.net	unknown	unknown	true	unknown
followtrust.net	unknown	unknown	true	unknown
experiencebelieve.net	unknown	unknown	true	unknown
summerhonor.net	unknown	unknown	true	unknown
thoughttrust.net	unknown	unknown	true	unknown
freshhonor.net	unknown	unknown	true	unknown
followfancy.net	unknown	unknown	true	unknown
freshfriend.net	unknown	unknown	true	unknown
freshconsider.net	unknown	unknown	true	unknown
summerquarter.net	unknown	unknown	true	unknown
gentlemantrust.net	unknown	unknown	true	unknown
fightinclude.net	unknown	unknown	true	unknown
gentlemanlaughter.net	unknown	unknown	true	unknown
memberbelieve.net	unknown	unknown	true	unknown
alreadylaughter.net	unknown	unknown	true	unknown
summerreceive.net	unknown	unknown	true	unknown
smokequarter.net	unknown	unknown	true	unknown
experiencesystem.net	unknown	unknown	true	unknown
thoughthonor.net	unknown	unknown	true	unknown
followbelieve.net	unknown	unknown	true	unknown
knowntrust.net	unknown	unknown	true	unknown
partybranch.net	unknown	unknown	true	unknown
crowdneither.net	unknown	unknown	true	unknown
womaninclude.net	unknown	unknown	true	unknown
smokebelieve.net	unknown	unknown	true	unknown
fightnorth.net	unknown	unknown	true	unknown
gentlemanneither.net	unknown	unknown	true	unknown
followquarter.net	unknown	unknown	true	unknown
knownhonor.net	unknown	unknown	true	unknown
womantrust.net	unknown	unknown	true	unknown
memberquarter.net	unknown	unknown	true	unknown
experiencefriend.net	unknown	unknown	true	unknown
waterbranch.net	unknown	unknown	true	unknown
smoketrust.net	unknown	unknown	true	unknown
gentlemanreceive.net	unknown	unknown	true	unknown
fightsystem.net	unknown	unknown	true	unknown
memberfancy.net	unknown	unknown	true	unknown
crowdhonor.net	unknown	unknown	true	unknown
summerbelieve.net	unknown	unknown	true	unknown
womanbranch.net	unknown	unknown	true	unknown
crowdbranch.net	unknown	unknown	true	unknown
beginbranch.net	unknown	unknown	true	unknown
experiencehonor.net	unknown	unknown	true	unknown
waterreceive.net	unknown	unknown	true	unknown
gentlemansystem.net	unknown	unknown	true	unknown
crowdsystem.net	unknown	unknown	true	unknown
knownbelieve.net	unknown	unknown	true	unknown
knownquarter.net	unknown	unknown	true	unknown
beginsystem.net	unknown	unknown	true	unknown
followsystem.net	unknown	unknown	true	unknown
crowdreceive.net	unknown	unknown	true	unknown
alreadyquarter.net	unknown	unknown	true	unknown
beginquarter.net	unknown	unknown	true	unknown
freshbelieve.net	unknown	unknown	true	unknown
alreadyconsider.net	unknown	unknown	true	unknown
alreadytrust.net	unknown	unknown	true	unknown
freshquarter.net	unknown	unknown	true	unknown
gentlemanfriend.net	unknown	unknown	true	unknown
beginbelieve.net	unknown	unknown	true	unknown
memberhonor.net	unknown	unknown	true	unknown
summersystem.net	unknown	unknown	true	unknown
partyquarter.net	unknown	unknown	true	unknown
alreadyfancy.net	unknown	unknown	true	unknown
fightneither.net	unknown	unknown	true	unknown
alreadybranch.net	unknown	unknown	true	unknown
partynorth.net	unknown	unknown	true	unknown
womangeneral.net	unknown	unknown	true	unknown
thoughtreceive.net	unknown	unknown	true	unknown
smokegeneral.net	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=	svchost.exe, 00000000.00000003.1363469186.0000023818E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000000.00000002.1364638408.0000023818E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363043255.0000023818E67000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000000.00000003.1363575259.0000023818E43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000000.00000003.1362841900.0000023818E85000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364690063.0000023818E87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000000.00000002.1364638408.0000023818E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363043255.0000023818E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364469160.0000023818E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364528459.0000023818E3F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000000.00000003.1363554004.0000023818E4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Stops/	svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000000.00000002.1364552805.0000023818E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363575259.0000023818E43000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fasthosts.co.uk/domain-names/search/?domain=$	idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000000.00000003.1363554004.0000023818E4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000000.00000002.1364587204.0000023818E59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://standards.iso.org/iso/19770/-2/2009/schema.xsd	svchost.exe, 00000008.00000002.3125275726.000001F92F887000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.3125642231.000001F930118000.00000004.00000020.00020000.00000000.sdmp, regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.8.dr	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364670137.0000023818E81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364552805.0000023818E44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363575259.0000023818E43000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363538945.0000023818E5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=	svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364469160.0000023818E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fasthosts.co.uk/	idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000000.00000002.1364528459.0000023818E3F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000000.00000002.1364528459.0000023818E3F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.t	svchost.exe, 00000000.00000003.1363469186.0000023818E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://followfriend.net/index.php	idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000009.00000002.2053122819.0000000001A6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084893409.0000000001A7D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fasthosts.co.uk/get-online?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_	idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.sshP	svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000000.00000002.1364587204.0000023818E59000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=	svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.bingmapsportal.com	svchost.exe, 00000000.00000002.1364443406.0000023818E13000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000002.1364620337.0000023818E63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363056654.0000023818E62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363484245.0000023818E58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363538945.0000023818E5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t0.ssl.ak.dynamic.tiles.virtualea	svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000000.00000003.1362762254.0000023818E4A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364638408.0000023818E68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363043255.0000023818E67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1364469160.0000023818E2B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000000.00000003.1363636604.0000023818E31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1362777933.0000023818E34000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1363554004.0000023818E4B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.fasthosts.co.uk/contact?utm_source=domainparking&utm_medium=referral&utm_campaign=fh_par	idtpqzltyfy.exe, 00000009.00000002.2053025546.0000000000FD4000.00000004.00000020.00020000.00000000.sdmp, idtpqzltyfy.exe, 00000009.00000002.2053122819.0000000001A6D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084893409.0000000001A7D000.00000004.00000010.00020000.00000000.sdmp, idtpqzltyfy.exe, 0000000F.00000002.3084792156.000000000101F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
85.13.130.3	membersystem.net	Germany	34788	NMM-ASD-02742FriedersdorfHauptstrasse68DE	false
188.225.40.227	followfriend.net	Russian Federation	9123	TIMEWEB-ASRU	false
34.246.200.160	thoughtbranch.net	United States	16509	AMAZON-02US	false
170.187.200.48	crowdtrust.net	United States	7018	ATT-INTERNET4US	false
35.164.78.200	memberreceive.net	United States	16509	AMAZON-02US	false
15.197.142.173	womanbelieve.net	United States	7430	TANDEMUS	false
54.244.188.177	womanhonor.net	United States	16509	AMAZON-02US	false
64.190.63.222	watersystem.net	United States	11696	NBS11696US	false
15.197.192.55	partybelieve.net	United States	7430	TANDEMUS	false
3.33.130.190	partygeneral.net	United States	8987	AMAZONEXPANSIONGB	false
213.171.195.105	thoughtsystem.net	United Kingdom	8560	ONEANDONE-ASBrauerstrasse48DE	false
81.169.145.88	freshfancy.net	Germany	6724	STRATOSTRATOAGDE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1488113
Start date and time:	2024-08-05 16:30:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mtuXDnH1Di.exe renamed because original name is a hash value
Original Sample Name:	475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a.exe
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@23/7@328/12
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 82 Number of non-executed functions: 88
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, d.3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.8.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: mtuXDnH1Di.exe

Simulations

Behavior and APIs

Time	Type	Description
10:31:33	API Interceptor	3687x Sleep call for process: amdrhfskpcu.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
85.13.130.3	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	membersystem.net/index.php
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	membersystem.net/index.php
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	membersystem.net/index.php
188.225.40.227	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	followfriend.net/index.php
	BeR96suzTx.exe	Get hash	malicious	FormBook	Browse	www.skazhiraku.net/itq4/?ATvHA=k2MpXHpX2FlDSbL&m8=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLYvRiJP5MpAf
	Rh3zHXGC0W.exe	Get hash	malicious	FormBook	Browse	www.ikra-prem.space/g8kn/?3f=SObGRIQc2SXqBOlWxSNvpO1BE/+cxQu6skH9Iz/5ZN4shibJkSmH+F/+6dh/KvA+GdhZXNtYOg==&s2J=v6Ah24bh4tF
	doc88.exe	Get hash	malicious	FormBook	Browse	www.skazhiraku.net/itq4/?BJ=xx/ELnNnKvtlLUNVhX4h3nTX7+vGZrU3iKsqjiSQXnXFY1tr2Fuuzh2bLbPBtofBSMpY&k6Apv=4hB0VF
	p6le0wM39E.exe	Get hash	malicious	DCRat	Browse	cq80904.tmweb.ru/vmHttpdefaultDb.php?K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ4YzM3YjZzgDNxkzM5UzMhNTNmVTNhNjN0MmZ4EmN4gzYmVjN4kTZ&K5Glm1IjUwWQCq0Uioy42v=MLZsFTiDn8Em9rir7K7wImpq3&EXQnpxYJ4aMICQvs=R7D0m961u58njgszmOLxASR&0xIfyHrB=3XszmcYUw52afU
	UYAfvxRha7.exe	Get hash	malicious	DCRat	Browse	cq80904.tmweb.ru/vmHttpdefaultDb.php?wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU&3fe0eef725958b7929a02603a5aa73a2=f84fad6cd29a3006db8b86eab6e3e434&36f380f5a045f0456c7866159c7edf74=AZ1MGNjVWZkZTMmRGOmRjNiZWMlNzYiNGZwEmY2UjNlRGZyMmZyQWM&wNx8559dK63E8kRo7N3gYQ=50VYeNDsGBfOUR3suNfn4yWU
34.246.200.160	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	thoughtbranch.net/index.php
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	thoughtbranch.net/index.php
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	thoughtbranch.net/index.php
	7sAylAXBOb.exe	Get hash	malicious	Unknown	Browse	figurewithout.net/index.php
	7sAylAXBOb.exe	Get hash	malicious	Unknown	Browse	figurewithout.net/index.php
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	figurewithout.net/index.php
	5a5O0c0oJP.exe	Get hash	malicious	Unknown	Browse	figurewithout.net/index.php
	Jla3M8Fe16.exe	Get hash	malicious	Unknown	Browse	figurewithout.net/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
watersystem.net	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	64.190.63.222
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	64.190.63.222
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	64.190.63.222
crowdtrust.net	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	170.187.200.48
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	170.187.200.48
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	170.187.200.48
thoughtsystem.net	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	213.171.195.105
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	213.171.195.105
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	213.171.195.105
womanbelieve.net	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	15.197.142.173
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	15.197.142.173
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	15.197.142.173
womanhonor.net	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
partygeneral.net	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	3.33.130.190
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	3.33.130.190
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	3.33.130.190
membersystem.net	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	85.13.130.3
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	85.13.130.3
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	85.13.130.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATT-INTERNET4US	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	170.187.200.48
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	170.187.200.48
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	170.187.200.48
	View Invoice#98783859 Statement for dpo.lu.htm	Get hash	malicious	HTMLPhisher	Browse	13.32.27.44
	unLc6VekkL.elf	Get hash	malicious	Mirai	Browse	13.143.18.150
	17nDkQW4tK.elf	Get hash	malicious	Mirai	Browse	69.236.41.25
	2PQz3l61Pc.elf	Get hash	malicious	Mirai	Browse	199.186.2.28
	botx.mips.elf	Get hash	malicious	Mirai	Browse	75.56.221.43
	botx.x86.elf	Get hash	malicious	Mirai	Browse	76.246.229.111
TIMEWEB-ASRU	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	188.225.40.227
	Runtime userer.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	r6KYedz4VQ.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	Gz3zPqMdtn.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	cnGgzU2rkd.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	https://diigo.com/0wzrly?ID=QtERFQmXrhNlWxfeW9PbYZfS3+Email=ambre.boyon@gerflor.com	Get hash	malicious	Unknown	Browse	188.225.39.170
	5F6Ny9UaKt.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
	LisectAVT_2403002C_62.dll	Get hash	malicious	Emotet	Browse	188.225.32.231
	qqMLbietPf.exe	Get hash	malicious	DCRat	Browse	185.114.247.170
NMM-ASD-02742FriedersdorfHauptstrasse68DE	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	85.13.130.3
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	85.13.130.3
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	85.13.130.3
	LisectAVT_2403002A_76.exe	Get hash	malicious	AgentTesla	Browse	85.13.147.213
	hNX3ktCRra.elf	Get hash	malicious	Unknown	Browse	85.13.140.189
	Fzfee1Lgc2.elf	Get hash	malicious	Unknown	Browse	85.13.155.154
	Yb6ztdvQaB.elf	Get hash	malicious	Unknown	Browse	85.13.132.87
	SLL8zVmaGj.elf	Get hash	malicious	Unknown	Browse	85.13.163.148
	Wk8eTHnajw.elf	Get hash	malicious	Unknown	Browse	85.13.130.45
AMAZON-02US	7qBBKk0P4l.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	Exv453QQIX.exe	Get hash	malicious	FormBook	Browse	76.223.105.230
	OneDriveSetup.exe	Get hash	malicious	ZTrat	Browse	3.126.224.214
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	Scanned Docs from Emnes Metal Sdn Bhd_.exe	Get hash	malicious	FormBook	Browse	76.223.67.189
	http://verizonwireless-employmentvalidation.com	Get hash	malicious	Unknown	Browse	3.124.93.206
	UjCrfOAkJJiZyZh.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	75.2.115.196
	vzPAucRnt7.exe	Get hash	malicious	Unknown	Browse	54.244.188.177
	.exe	Get hash	malicious	Unknown	Browse	52.42.85.34

Process:	C:\Windows\System32\svchost.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	999
Entropy (8bit):	4.966299883488245
Encrypted:	false
SSDEEP:	24:Jd4T7gw4TchTGBLtKEHcHGuDyeHRuDye6MGFiP6euDyRtz:34T53VGLv8HGuDyeHRuDye6MGFiP6euy
MD5:	24567B9212F806F6E3E27CDEB07728C0
SHA1:	371AE77042FFF52327BF4B929495D5603404107D
SHA-256:	82F352AD3C9B3E58ECD3207EDC38D5F01B14D968DA908406BD60FD93230B69F6
SHA-512:	5D5E65FCD9061DADC760C9B3124547F2BABEB49FD56A2FD2FE2AD2211A1CB15436DB24308A0B5A87DA24EC6AB2A9B0C5242D828BE85BD1B2683F9468CE310904
Malicious:	false
Preview:	.<?xml version="1.0" encoding="utf-8"?>..<software_identification_tag xmlns="http://standards.iso.org/iso/19770/-2/2009/schema.xsd">...<entitlement_required_indicator>true</entitlement_required_indicator>...<product_title>Windows 10 Pro</product_title>...<product_version>....<name>10.0.19041.1865</name>....<numeric>.....<major>10</major>.....<minor>0</minor>.....<build>19041</build>.....<review>1865</review>....</numeric>...</product_version>...<software_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_creator>...<software_licensor>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</software_licensor>...<software_id>....<unique_id>Windows-10-Pro</unique_id>....<tag_creator_regid>regid.1991-06.com.microsoft</tag_creator_regid>...</software_id>...<tag_creator>....<name>Microsoft Corporation</name>....<regid>regid.1991-06.com.microsoft</regid>...</tag_creator>..</software_identification_tag>..

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.2464021707289623
Encrypted:	false
SSDEEP:	48:FaqdF7w8l0+AAHdKoqKFxcxkF28lraqdF7Lv+AAHdKoqKFxcxkFY:cEG+AAsoJjykcET+AAsoJjykO
MD5:	C88D021AC0FEA6AE0486B51DC4C3EB21
SHA1:	17DE4D0D3FD8DCDE25B91B646F3ED2D5310C1A49
SHA-256:	1DE0122DD4941C096F7D76403F72BF022FCEDE7777370CEEC07483256490BD64
SHA-512:	E9C10FEB013F6FF1C557D1318010D99F344A96D4BD8FC7DE7B63EC65389C3DBAF5989BAAC971FC35994A200DEE91B5272096C2A44940C1634178610EF9C9BE68
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. O.c.t. .. 0.5. .. 2.0.2.3. .1.2.:.2.8.:.3.6.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\whfkpbh\euwvjohdxkkj

Download File

Process:	C:\Users\user\Desktop\mtuXDnH1Di.exe
File Type:	data
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.5216406363433186
Encrypted:	false
SSDEEP:	3:zon:8
MD5:	68678699ABEA681A3BEF7BC9C04AA0DB
SHA1:	645AEBCE823CBFA211ECD2FA4878A586CC4ABE8E
SHA-256:	10F46E566F4A87C8973338326C4C0E497E0920983CCFE6BA82F734B5A00C3C64
SHA-512:	7D197C701C93120144A167E7AF27009583D56D80DF9861DE0897C4E16A45AE12B94457EA048D4D4C3978E6EF32EED3B49185356B201E282B955C8FD80713ED94
Malicious:	false
Preview:	..dd..b

C:\whfkpbh\amdrhfskpcu.exe

Download File

Process:	C:\whfkpbh\idtpqzltyfy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279552
Entropy (8bit):	7.1352696053252345
Encrypted:	false
SSDEEP:	6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
MD5:	E4B47C06B5EED80FB44CFEA757525634
SHA1:	78B5133CD84E3D89EBCA4B36F33273DF6E70C3F4
SHA-256:	475C13AE1D446C61824315961E5838916AC4A3F28BC441AA8A2B39B81383EA4A
SHA-512:	BEF0195A513A28E7C9868BCA359A4F1726C9F8D15204B743C0E2467E6F6C68A67994E737C82997FEF0C2BB9DCFC206100A0A52E756D286FBAF1E56D2E04E7843
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S..S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R...........E.......p....@..........................`............@....................................P....................................................................................p...............................text....Q.......R.................. ..`.rdata..(I...p...J...V..............@..@.data...,...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\whfkpbh\euwvjohdxkkj

Download File

Process:	C:\Users\user\Desktop\mtuXDnH1Di.exe
File Type:	data
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.5216406363433186
Encrypted:	false
SSDEEP:	3:zon:8
MD5:	68678699ABEA681A3BEF7BC9C04AA0DB
SHA1:	645AEBCE823CBFA211ECD2FA4878A586CC4ABE8E
SHA-256:	10F46E566F4A87C8973338326C4C0E497E0920983CCFE6BA82F734B5A00C3C64
SHA-512:	7D197C701C93120144A167E7AF27009583D56D80DF9861DE0897C4E16A45AE12B94457EA048D4D4C3978E6EF32EED3B49185356B201E282B955C8FD80713ED94
Malicious:	false
Preview:	..dd..b

C:\whfkpbh\idtpqzltyfy.exe

Download File

Process:	C:\whfkpbh\qbf43feev7f7qnhdav.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279552
Entropy (8bit):	7.1352696053252345
Encrypted:	false
SSDEEP:	6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
MD5:	E4B47C06B5EED80FB44CFEA757525634
SHA1:	78B5133CD84E3D89EBCA4B36F33273DF6E70C3F4
SHA-256:	475C13AE1D446C61824315961E5838916AC4A3F28BC441AA8A2B39B81383EA4A
SHA-512:	BEF0195A513A28E7C9868BCA359A4F1726C9F8D15204B743C0E2467E6F6C68A67994E737C82997FEF0C2BB9DCFC206100A0A52E756D286FBAF1E56D2E04E7843
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S..S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R...........E.......p....@..........................`............@....................................P....................................................................................p...............................text....Q.......R.................. ..`.rdata..(I...p...J...V..............@..@.data...,...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\whfkpbh\qbf43feev7f7qnhdav.exe

Download File

Process:	C:\Users\user\Desktop\mtuXDnH1Di.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	279552
Entropy (8bit):	7.1352696053252345
Encrypted:	false
SSDEEP:	6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
MD5:	E4B47C06B5EED80FB44CFEA757525634
SHA1:	78B5133CD84E3D89EBCA4B36F33273DF6E70C3F4
SHA-256:	475C13AE1D446C61824315961E5838916AC4A3F28BC441AA8A2B39B81383EA4A
SHA-512:	BEF0195A513A28E7C9868BCA359A4F1726C9F8D15204B743C0E2467E6F6C68A67994E737C82997FEF0C2BB9DCFC206100A0A52E756D286FBAF1E56D2E04E7843
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S..S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R...........E.......p....@..........................`............@....................................P....................................................................................p...............................text....Q.......R.................. ..`.rdata..(I...p...J...V..............@..@.data...,...........................@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.1352696053252345
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mtuXDnH1Di.exe
File size:	279'552 bytes
MD5:	e4b47c06b5eed80fb44cfea757525634
SHA1:	78b5133cd84e3d89ebca4b36f33273df6e70c3f4
SHA256:	475c13ae1d446c61824315961e5838916ac4a3f28bc441aa8a2b39b81383ea4a
SHA512:	bef0195a513a28e7c9868bca359a4f1726c9f8d15204b743c0e2467e6f6c68a67994e737c82997fef0c2bb9dcfc206100a0a52e756d286fbaf1e56d2e04e7843
SSDEEP:	6144:TLg1drHvFTdNWJDRm03jJGxoyApQU/waqElD:Te5RTWr/TJpZ/h
TLSH:	98549D44CD39512ACC968EFE4ABB37B2F45E587567E915C3438431C424602F8FABA78B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........2f..S...S...S....s..S...S...S.......S.......S.......S..Rich.S..........................PE..L....0.V.................R.........

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x424590
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x568930F7 [Sun Jan 3 14:32:23 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6f0f6728fed938390cd1a7b493280d77

Entrypoint Preview

Instruction
mov eax, dword ptr [0043F75Ch]
sar eax, 07h
sub eax, 0E724248h
and eax, 638AD6B6h
cmp eax, D4FE12C8h
je 00007F26005F36B6h
movzx ecx, word ptr [00473A94h]
or ecx, 9A29B7C6h
mov word ptr [00473A94h], cx
call 00007F26005EF6F3h
mov edx, dword ptr [0043F5C4h]
not edx
sub edx, 2D98DF04h
xor edx, 86D84936h
cmp edx, D7ABF1EFh
je 00007F26005F36ACh
add dword ptr [0044A8A4h], 24D523FCh
push esi
call 00007F26005FEE97h
mov eax, dword ptr [00445EB0h]
sub eax, 13C02B78h
push 00437190h
mov dword ptr [00447688h], eax
inc dword ptr [00445EB0h]
push 00437188h
call 00007F26005E84A3h
fld dword ptr [0047ACD4h]
fadd qword ptr [0045F648h]
add esp, 08h
fld qword ptr [0044FAB0h]
fld qword ptr [00459DF0h]
fsubp st(2), st(0)
fsubrp st(1), st(0)
fstp qword ptr [0044FAB0h]
call 00007F26006006C9h
fld dword ptr [0047D39Ch]
mov esi, eax
fmul dword ptr [00486544h]
fld dword ptr [0047A424h]
fcomip st(0), st(1)
fstp st(0)
jbe 00007F26005F36B9h
dec dword ptr [00000000h]

Rich Headers

Programming Language:

[IMP] VS2005 build 50727
[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3b0e0	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8b000	0x9ca4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x37000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x351ea	0x35200	b8a604ad7d1ad7d6f5659a8bfca32505	False	0.6966911764705882	data	6.86562473291782	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x37000	0x4928	0x4a00	9fa4f015e03b624e77fc713f54352d1c	False	0.8504539695945946	COM executable for DOS	7.1602946748436205	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3c000	0x4ef2c	0x200	07b5472d347d42780469fb2654b7fc54	False	0.02734375	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x8b000	0xa012	0xa200	a9d11539c5aa2bd739792d7ebff48b74	False	0.6754195601851852	data	6.7897361685185675	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	SetTextCharacterExtra, SetSystemPaletteUse, GetTextCharsetInfo, GetTextCharset, GetMapMode, GetTextColor, SetTextJustification, GetCurrentObject, GetMetaRgn, GetClipRgn, GetFontUnicodeRanges, GetTextCharacterExtra, GetSystemPaletteUse, GetFontLanguageInfo, GetStretchBltMode, GetPolyFillMode, GetObjectType, GetRandomRgn, SetTextAlign, GetNearestPaletteIndex, GetTextAlign, GetPixelFormat, GetDCBrushColor, GetBkColor, GetNearestColor, SetPixel
USER32.dll	EndPaint, GetCursor, GetDlgItem, GetMenuItemCount, SetWindowTextA, GetPropA, SendMessageA, MoveWindow, GetWindowDC, SetFocus, IsWindowUnicode, WindowFromDC, GetDC, LoadIconA, GetQueueStatus, EnableWindow, GetKeyboardType, EndDialog, GetDlgItemInt, GetInputState, CallWindowProcA, GetMenu, PostMessageA, GetMenuItemID, IsWindowEnabled, SetDlgItemTextA, GetWindowContextHelpId, CheckDlgButton, GetScrollPos, DrawTextA, GetForegroundWindow, RemovePropA, GetMenuState, BeginPaint, GetWindowLongA, ShowWindow, GetMenuContextHelpId
KERNEL32.dll	HeapAlloc, GetStdHandle, GlobalAlloc, GetModuleHandleA, GetCurrentThreadId, GetTickCount, GetLastError, GlobalSize, IsDebuggerPresent, GlobalFlags, MoveFileA, GlobalHandle, SizeofResource, IsProcessorFeaturePresent, LocalFlags, GetProcAddress, GetDriveTypeA, GetCurrentProcessId, GetFileTime, GetCurrentProcess, FlushFileBuffers, SetFilePointer, WriteFile, LockResource, GetFileType, CloseHandle, GetVersion, QueryPerformanceCounter, LoadResource, FindResourceA, DeleteFileA, GetProcessHeap

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-08-05T16:32:24.185870+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50096	80	192.168.2.10	3.33.130.190
2024-08-05T16:31:26.343740+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49722	54.244.188.177	192.168.2.10
2024-08-05T16:31:11.751114+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49708	35.164.78.200	192.168.2.10
2024-08-05T16:32:44.788310+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	50106	54.244.188.177	192.168.2.10
2024-08-05T16:32:44.783451+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50106	80	192.168.2.10	54.244.188.177
2024-08-05T16:31:09.159317+0200	UDP	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	53	64235	1.1.1.1	192.168.2.10
2024-08-05T16:32:36.084346+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50100	80	192.168.2.10	15.197.192.55
2024-08-05T16:31:25.243622+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49721	80	192.168.2.10	64.190.63.222
2024-08-05T16:31:17.214399+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49711	80	192.168.2.10	15.197.192.55
2024-08-05T16:31:31.936050+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49725	80	192.168.2.10	188.225.40.227
2024-08-05T16:31:24.427024+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49720	80	192.168.2.10	213.171.195.105
2024-08-05T16:31:26.338291+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49722	80	192.168.2.10	54.244.188.177
2024-08-05T16:31:11.746217+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49708	80	192.168.2.10	35.164.78.200
2024-08-05T16:31:13.938330+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49709	80	192.168.2.10	34.246.200.160
2024-08-05T16:32:28.649939+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50097	80	192.168.2.10	35.164.78.200
2024-08-05T16:31:11.758243+0200	UDP	2018316	ET MALWARE Possible Zeus GameOver/FluBot Related DGA NXDOMAIN Responses	53	54120	1.1.1.1	192.168.2.10
2024-08-05T16:31:11.985924+0200	UDP	2811542	ETPRO MALWARE Possible Tinba DGA NXDOMAIN Responses (net)	53	55555	1.1.1.1	192.168.2.10
2024-08-05T16:32:39.692818+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50102	80	192.168.2.10	3.33.130.190
2024-08-05T16:31:23.484957+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49719	80	192.168.2.10	170.187.200.48
2024-08-05T16:32:34.076197+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50099	80	192.168.2.10	15.197.142.173
2024-08-05T16:31:27.951432+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49723	80	192.168.2.10	81.169.145.88
2024-08-05T16:32:39.216523+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50101	80	192.168.2.10	85.13.130.3
2024-08-05T16:31:08.013716+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	49707	80	192.168.2.10	3.33.130.190
2024-08-05T16:32:43.907528+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50105	80	192.168.2.10	64.190.63.222
2024-08-05T16:31:13.946127+0200	TCP	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	80	49709	34.246.200.160	192.168.2.10
2024-08-05T16:32:32.049198+0200	TCP	2815568	ETPRO MALWARE Terse HTTP 1.0 Request Possible Nivdort	50098	80	192.168.2.10	34.246.200.160

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 16:31:04.598036051 CEST	49707	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:04.603511095 CEST	80	49707	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:04.603662968 CEST	49707	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:04.603718042 CEST	49707	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:04.608745098 CEST	80	49707	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:08.013556004 CEST	80	49707	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:08.013715982 CEST	49707	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:08.013935089 CEST	80	49707	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:08.014002085 CEST	49707	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:08.018573999 CEST	80	49707	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:10.985224962 CEST	49708	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:31:10.990382910 CEST	80	49708	35.164.78.200	192.168.2.10
Aug 5, 2024 16:31:10.990497112 CEST	49708	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:31:10.990581036 CEST	49708	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:31:10.995706081 CEST	80	49708	35.164.78.200	192.168.2.10
Aug 5, 2024 16:31:11.745836973 CEST	80	49708	35.164.78.200	192.168.2.10
Aug 5, 2024 16:31:11.746135950 CEST	80	49708	35.164.78.200	192.168.2.10
Aug 5, 2024 16:31:11.746217012 CEST	49708	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:31:11.746265888 CEST	49708	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:31:11.751113892 CEST	80	49708	35.164.78.200	192.168.2.10
Aug 5, 2024 16:31:13.171947002 CEST	49709	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:31:13.177054882 CEST	80	49709	34.246.200.160	192.168.2.10
Aug 5, 2024 16:31:13.177177906 CEST	49709	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:31:13.177247047 CEST	49709	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:31:13.182131052 CEST	80	49709	34.246.200.160	192.168.2.10
Aug 5, 2024 16:31:13.938179970 CEST	80	49709	34.246.200.160	192.168.2.10
Aug 5, 2024 16:31:13.938210964 CEST	80	49709	34.246.200.160	192.168.2.10
Aug 5, 2024 16:31:13.938329935 CEST	49709	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:31:13.940022945 CEST	49709	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:31:13.946126938 CEST	80	49709	34.246.200.160	192.168.2.10
Aug 5, 2024 16:31:15.030508995 CEST	49710	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:31:15.035887957 CEST	80	49710	15.197.142.173	192.168.2.10
Aug 5, 2024 16:31:15.035972118 CEST	49710	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:31:15.036025047 CEST	49710	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:31:15.042180061 CEST	80	49710	15.197.142.173	192.168.2.10
Aug 5, 2024 16:31:15.544984102 CEST	80	49710	15.197.142.173	192.168.2.10
Aug 5, 2024 16:31:15.545161963 CEST	49710	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:31:15.545169115 CEST	80	49710	15.197.142.173	192.168.2.10
Aug 5, 2024 16:31:15.545264006 CEST	49710	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:31:15.550065041 CEST	80	49710	15.197.142.173	192.168.2.10
Aug 5, 2024 16:31:16.723711967 CEST	49711	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:16.728558064 CEST	80	49711	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:16.728642941 CEST	49711	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:16.728858948 CEST	49711	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:16.733772993 CEST	80	49711	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:17.214251041 CEST	80	49711	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:17.214365959 CEST	80	49711	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:17.214399099 CEST	49711	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:17.214432001 CEST	49711	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:17.219208956 CEST	80	49711	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:19.202613115 CEST	49714	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:31:19.207577944 CEST	80	49714	85.13.130.3	192.168.2.10
Aug 5, 2024 16:31:19.207680941 CEST	49714	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:31:19.207770109 CEST	49714	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:31:19.212671041 CEST	80	49714	85.13.130.3	192.168.2.10
Aug 5, 2024 16:31:19.843400002 CEST	80	49714	85.13.130.3	192.168.2.10
Aug 5, 2024 16:31:19.843583107 CEST	49714	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:31:19.843826056 CEST	80	49714	85.13.130.3	192.168.2.10
Aug 5, 2024 16:31:19.844023943 CEST	49714	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:31:19.848536015 CEST	80	49714	85.13.130.3	192.168.2.10
Aug 5, 2024 16:31:19.868438959 CEST	49716	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:19.873328924 CEST	80	49716	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:19.873419046 CEST	49716	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:19.873462915 CEST	49716	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:19.878249884 CEST	80	49716	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:20.373877048 CEST	80	49716	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:20.373944044 CEST	80	49716	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:20.374176979 CEST	49716	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:20.377518892 CEST	49716	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:31:20.384504080 CEST	80	49716	3.33.130.190	192.168.2.10
Aug 5, 2024 16:31:22.966054916 CEST	49719	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:31:22.971343040 CEST	80	49719	170.187.200.48	192.168.2.10
Aug 5, 2024 16:31:22.971466064 CEST	49719	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:31:22.971522093 CEST	49719	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:31:22.976541042 CEST	80	49719	170.187.200.48	192.168.2.10
Aug 5, 2024 16:31:23.484765053 CEST	80	49719	170.187.200.48	192.168.2.10
Aug 5, 2024 16:31:23.484956980 CEST	49719	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:31:23.486268997 CEST	80	49719	170.187.200.48	192.168.2.10
Aug 5, 2024 16:31:23.486349106 CEST	49719	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:31:23.489829063 CEST	80	49719	170.187.200.48	192.168.2.10
Aug 5, 2024 16:31:23.808054924 CEST	49720	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:31:23.813009024 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:23.813113928 CEST	49720	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:31:23.813163042 CEST	49720	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:31:23.818097115 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:24.426836014 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:24.426889896 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:24.426928997 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:24.426961899 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:24.427000046 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:24.427023888 CEST	49720	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:31:24.427064896 CEST	49720	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:31:24.427211046 CEST	49720	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:31:24.431972027 CEST	80	49720	213.171.195.105	192.168.2.10
Aug 5, 2024 16:31:24.603634119 CEST	49721	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:31:24.608911037 CEST	80	49721	64.190.63.222	192.168.2.10
Aug 5, 2024 16:31:24.609005928 CEST	49721	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:31:24.609029055 CEST	49721	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:31:24.614034891 CEST	80	49721	64.190.63.222	192.168.2.10
Aug 5, 2024 16:31:25.243453026 CEST	80	49721	64.190.63.222	192.168.2.10
Aug 5, 2024 16:31:25.243526936 CEST	80	49721	64.190.63.222	192.168.2.10
Aug 5, 2024 16:31:25.243622065 CEST	49721	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:31:25.243781090 CEST	49721	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:31:25.248863935 CEST	80	49721	64.190.63.222	192.168.2.10
Aug 5, 2024 16:31:25.597173929 CEST	49722	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:31:25.602190018 CEST	80	49722	54.244.188.177	192.168.2.10
Aug 5, 2024 16:31:25.602300882 CEST	49722	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:31:25.602329969 CEST	49722	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:31:25.607182980 CEST	80	49722	54.244.188.177	192.168.2.10
Aug 5, 2024 16:31:26.337407112 CEST	80	49722	54.244.188.177	192.168.2.10
Aug 5, 2024 16:31:26.338172913 CEST	80	49722	54.244.188.177	192.168.2.10
Aug 5, 2024 16:31:26.338290930 CEST	49722	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:31:26.338881016 CEST	49722	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:31:26.343739986 CEST	80	49722	54.244.188.177	192.168.2.10
Aug 5, 2024 16:31:27.290040016 CEST	49723	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:31:27.295059919 CEST	80	49723	81.169.145.88	192.168.2.10
Aug 5, 2024 16:31:27.295234919 CEST	49723	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:31:27.295305967 CEST	49723	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:31:27.300213099 CEST	80	49723	81.169.145.88	192.168.2.10
Aug 5, 2024 16:31:27.951025009 CEST	80	49723	81.169.145.88	192.168.2.10
Aug 5, 2024 16:31:27.951431990 CEST	49723	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:31:27.951509953 CEST	80	49723	81.169.145.88	192.168.2.10
Aug 5, 2024 16:31:27.951566935 CEST	49723	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:31:27.956625938 CEST	80	49723	81.169.145.88	192.168.2.10
Aug 5, 2024 16:31:30.117564917 CEST	49724	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:30.122426987 CEST	80	49724	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:30.122517109 CEST	49724	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:30.122541904 CEST	49724	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:30.127495050 CEST	80	49724	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:30.586142063 CEST	80	49724	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:30.586221933 CEST	80	49724	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:30.586301088 CEST	49724	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:30.586395025 CEST	49724	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:31:30.591202021 CEST	80	49724	15.197.192.55	192.168.2.10
Aug 5, 2024 16:31:31.272192001 CEST	49725	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:31:31.277347088 CEST	80	49725	188.225.40.227	192.168.2.10
Aug 5, 2024 16:31:31.277446032 CEST	49725	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:31:31.277501106 CEST	49725	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:31:31.282480955 CEST	80	49725	188.225.40.227	192.168.2.10
Aug 5, 2024 16:31:31.935910940 CEST	80	49725	188.225.40.227	192.168.2.10
Aug 5, 2024 16:31:31.936049938 CEST	49725	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:31:31.936186075 CEST	80	49725	188.225.40.227	192.168.2.10
Aug 5, 2024 16:31:31.936239958 CEST	49725	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:31:31.941191912 CEST	80	49725	188.225.40.227	192.168.2.10
Aug 5, 2024 16:32:22.760795116 CEST	50096	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:22.765746117 CEST	80	50096	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:22.765882969 CEST	50096	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:22.765919924 CEST	50096	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:22.770673037 CEST	80	50096	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:24.185717106 CEST	80	50096	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:24.185803890 CEST	80	50096	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:24.185869932 CEST	50096	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:24.185902119 CEST	50096	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:24.190818071 CEST	80	50096	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:27.777128935 CEST	50097	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:32:27.782084942 CEST	80	50097	35.164.78.200	192.168.2.10
Aug 5, 2024 16:32:27.782187939 CEST	50097	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:32:27.782249928 CEST	50097	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:32:27.787312031 CEST	80	50097	35.164.78.200	192.168.2.10
Aug 5, 2024 16:32:28.648246050 CEST	80	50097	35.164.78.200	192.168.2.10
Aug 5, 2024 16:32:28.648281097 CEST	80	50097	35.164.78.200	192.168.2.10
Aug 5, 2024 16:32:28.648296118 CEST	80	50097	35.164.78.200	192.168.2.10
Aug 5, 2024 16:32:28.649939060 CEST	50097	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:32:28.652945995 CEST	50097	80	192.168.2.10	35.164.78.200
Aug 5, 2024 16:32:28.657891035 CEST	80	50097	35.164.78.200	192.168.2.10
Aug 5, 2024 16:32:30.908715963 CEST	50098	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:32:30.917853117 CEST	80	50098	34.246.200.160	192.168.2.10
Aug 5, 2024 16:32:30.917921066 CEST	50098	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:32:30.917957067 CEST	50098	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:32:30.922789097 CEST	80	50098	34.246.200.160	192.168.2.10
Aug 5, 2024 16:32:32.049094915 CEST	80	50098	34.246.200.160	192.168.2.10
Aug 5, 2024 16:32:32.049128056 CEST	80	50098	34.246.200.160	192.168.2.10
Aug 5, 2024 16:32:32.049197912 CEST	50098	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:32:32.049274921 CEST	50098	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:32:32.049519062 CEST	80	50098	34.246.200.160	192.168.2.10
Aug 5, 2024 16:32:32.049556971 CEST	50098	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:32:32.050523996 CEST	80	50098	34.246.200.160	192.168.2.10
Aug 5, 2024 16:32:32.050570965 CEST	50098	80	192.168.2.10	34.246.200.160
Aug 5, 2024 16:32:32.056155920 CEST	80	50098	34.246.200.160	192.168.2.10
Aug 5, 2024 16:32:33.587465048 CEST	50099	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:32:33.592457056 CEST	80	50099	15.197.142.173	192.168.2.10
Aug 5, 2024 16:32:33.592585087 CEST	50099	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:32:33.592585087 CEST	50099	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:32:33.597656012 CEST	80	50099	15.197.142.173	192.168.2.10
Aug 5, 2024 16:32:34.075978041 CEST	80	50099	15.197.142.173	192.168.2.10
Aug 5, 2024 16:32:34.076047897 CEST	80	50099	15.197.142.173	192.168.2.10
Aug 5, 2024 16:32:34.076196909 CEST	50099	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:32:34.076303005 CEST	50099	80	192.168.2.10	15.197.142.173
Aug 5, 2024 16:32:34.081166983 CEST	80	50099	15.197.142.173	192.168.2.10
Aug 5, 2024 16:32:34.544500113 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:34.553410053 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:34.553548098 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:34.553592920 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:34.559763908 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:36.084207058 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:36.084260941 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:36.084346056 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:36.084498882 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:36.084547043 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:36.084641933 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:36.084979057 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:36.085036993 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:36.086308956 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:36.086359978 CEST	50100	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:36.090589046 CEST	80	50100	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:38.568228006 CEST	50101	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:32:38.575520992 CEST	80	50101	85.13.130.3	192.168.2.10
Aug 5, 2024 16:32:38.575814009 CEST	50101	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:32:38.575814009 CEST	50101	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:32:38.580658913 CEST	80	50101	85.13.130.3	192.168.2.10
Aug 5, 2024 16:32:39.215950012 CEST	80	50101	85.13.130.3	192.168.2.10
Aug 5, 2024 16:32:39.216522932 CEST	50101	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:32:39.217006922 CEST	80	50101	85.13.130.3	192.168.2.10
Aug 5, 2024 16:32:39.217101097 CEST	50101	80	192.168.2.10	85.13.130.3
Aug 5, 2024 16:32:39.221282005 CEST	80	50101	85.13.130.3	192.168.2.10
Aug 5, 2024 16:32:39.230557919 CEST	50102	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:39.235455036 CEST	80	50102	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:39.235532045 CEST	50102	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:39.235579014 CEST	50102	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:39.240355968 CEST	80	50102	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:39.692394972 CEST	80	50102	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:39.692817926 CEST	50102	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:39.692842960 CEST	80	50102	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:39.692897081 CEST	50102	80	192.168.2.10	3.33.130.190
Aug 5, 2024 16:32:39.697731972 CEST	80	50102	3.33.130.190	192.168.2.10
Aug 5, 2024 16:32:41.216564894 CEST	50103	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:32:41.221508026 CEST	80	50103	170.187.200.48	192.168.2.10
Aug 5, 2024 16:32:41.221585035 CEST	50103	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:32:41.221635103 CEST	50103	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:32:41.226751089 CEST	80	50103	170.187.200.48	192.168.2.10
Aug 5, 2024 16:32:41.716304064 CEST	80	50103	170.187.200.48	192.168.2.10
Aug 5, 2024 16:32:41.716418028 CEST	80	50103	170.187.200.48	192.168.2.10
Aug 5, 2024 16:32:41.716466904 CEST	50103	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:32:41.717180967 CEST	50103	80	192.168.2.10	170.187.200.48
Aug 5, 2024 16:32:41.721354961 CEST	80	50103	170.187.200.48	192.168.2.10
Aug 5, 2024 16:32:41.993932962 CEST	50104	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:32:41.998857021 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:41.999102116 CEST	50104	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:32:41.999102116 CEST	50104	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:32:42.004072905 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:42.606091022 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:42.606115103 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:42.606127024 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:42.606175900 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:42.606252909 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:42.606275082 CEST	50104	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:32:42.606388092 CEST	50104	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:32:42.606921911 CEST	50104	80	192.168.2.10	213.171.195.105
Aug 5, 2024 16:32:42.607314110 CEST	50105	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:32:42.612217903 CEST	80	50104	213.171.195.105	192.168.2.10
Aug 5, 2024 16:32:42.612234116 CEST	80	50105	64.190.63.222	192.168.2.10
Aug 5, 2024 16:32:42.612492085 CEST	50105	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:32:42.612492085 CEST	50105	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:32:42.617733955 CEST	80	50105	64.190.63.222	192.168.2.10
Aug 5, 2024 16:32:43.907408953 CEST	80	50105	64.190.63.222	192.168.2.10
Aug 5, 2024 16:32:43.907435894 CEST	80	50105	64.190.63.222	192.168.2.10
Aug 5, 2024 16:32:43.907445908 CEST	80	50105	64.190.63.222	192.168.2.10
Aug 5, 2024 16:32:43.907527924 CEST	50105	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:32:43.907527924 CEST	80	50105	64.190.63.222	192.168.2.10
Aug 5, 2024 16:32:43.907685995 CEST	50105	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:32:43.907685995 CEST	50105	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:32:43.907685995 CEST	50105	80	192.168.2.10	64.190.63.222
Aug 5, 2024 16:32:43.914313078 CEST	80	50105	64.190.63.222	192.168.2.10
Aug 5, 2024 16:32:43.932887077 CEST	50106	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:32:43.937853098 CEST	80	50106	54.244.188.177	192.168.2.10
Aug 5, 2024 16:32:43.938019991 CEST	50106	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:32:43.942903996 CEST	80	50106	54.244.188.177	192.168.2.10
Aug 5, 2024 16:32:44.783339024 CEST	80	50106	54.244.188.177	192.168.2.10
Aug 5, 2024 16:32:44.783369064 CEST	80	50106	54.244.188.177	192.168.2.10
Aug 5, 2024 16:32:44.783377886 CEST	80	50106	54.244.188.177	192.168.2.10
Aug 5, 2024 16:32:44.783451080 CEST	50106	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:32:44.783499002 CEST	50106	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:32:44.783565998 CEST	50106	80	192.168.2.10	54.244.188.177
Aug 5, 2024 16:32:44.788310051 CEST	80	50106	54.244.188.177	192.168.2.10
Aug 5, 2024 16:32:46.329724073 CEST	50107	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:32:46.334722996 CEST	80	50107	81.169.145.88	192.168.2.10
Aug 5, 2024 16:32:46.334861994 CEST	50107	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:32:46.334935904 CEST	50107	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:32:46.339939117 CEST	80	50107	81.169.145.88	192.168.2.10
Aug 5, 2024 16:32:46.997354984 CEST	80	50107	81.169.145.88	192.168.2.10
Aug 5, 2024 16:32:46.997543097 CEST	50107	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:32:46.997791052 CEST	80	50107	81.169.145.88	192.168.2.10
Aug 5, 2024 16:32:46.997837067 CEST	50107	80	192.168.2.10	81.169.145.88
Aug 5, 2024 16:32:47.002635002 CEST	80	50107	81.169.145.88	192.168.2.10
Aug 5, 2024 16:32:48.589816093 CEST	50108	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:48.594723940 CEST	80	50108	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:48.594836950 CEST	50108	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:48.594881058 CEST	50108	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:48.599795103 CEST	80	50108	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:49.099131107 CEST	80	50108	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:49.099292994 CEST	50108	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:49.104705095 CEST	80	50108	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:49.104806900 CEST	50108	80	192.168.2.10	15.197.192.55
Aug 5, 2024 16:32:49.105032921 CEST	80	50108	15.197.192.55	192.168.2.10
Aug 5, 2024 16:32:49.634453058 CEST	50109	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:32:49.639533997 CEST	80	50109	188.225.40.227	192.168.2.10
Aug 5, 2024 16:32:49.639631033 CEST	50109	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:32:49.639673948 CEST	50109	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:32:49.645750999 CEST	80	50109	188.225.40.227	192.168.2.10
Aug 5, 2024 16:32:50.350815058 CEST	80	50109	188.225.40.227	192.168.2.10
Aug 5, 2024 16:32:50.351325035 CEST	80	50109	188.225.40.227	192.168.2.10
Aug 5, 2024 16:32:50.351392984 CEST	50109	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:32:50.352075100 CEST	50109	80	192.168.2.10	188.225.40.227
Aug 5, 2024 16:32:50.364639997 CEST	80	50109	188.225.40.227	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2024 16:31:02.882504940 CEST	54642	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.123699903 CEST	53	54642	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.127038956 CEST	53652	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.368786097 CEST	53	53652	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.369817972 CEST	55052	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.619467974 CEST	53	55052	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.620843887 CEST	57198	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.632782936 CEST	53	57198	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.633685112 CEST	60718	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.644922972 CEST	53	60718	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.645592928 CEST	57891	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.897247076 CEST	53	57891	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.898564100 CEST	60104	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.914211035 CEST	53	60104	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.915992975 CEST	49762	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:03.929848909 CEST	53	49762	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:03.931103945 CEST	64569	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:04.175720930 CEST	53	64569	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:04.177119970 CEST	55662	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:04.595024109 CEST	53	55662	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.014672041 CEST	49885	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.027597904 CEST	53	49885	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.028759956 CEST	62954	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.039952993 CEST	53	62954	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.041120052 CEST	56002	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.052355051 CEST	53	56002	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.053561926 CEST	60441	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.065361023 CEST	53	60441	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.066418886 CEST	55144	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.077836990 CEST	53	55144	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.078897953 CEST	64447	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.091353893 CEST	53	64447	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.092212915 CEST	61957	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.104657888 CEST	53	61957	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.107326984 CEST	63490	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.121541023 CEST	53	63490	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.157839060 CEST	53274	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.171524048 CEST	53	53274	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.176866055 CEST	61776	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.189651966 CEST	53	61776	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.199841022 CEST	61459	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.213581085 CEST	53	61459	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.214617968 CEST	56071	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.456006050 CEST	53	56071	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.457214117 CEST	61871	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.468146086 CEST	53	61871	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.469610929 CEST	61261	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.481534958 CEST	53	61261	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.484849930 CEST	52162	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.496880054 CEST	53	52162	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.497895956 CEST	52253	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.741897106 CEST	53	52253	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.743220091 CEST	54477	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:08.754390955 CEST	53	54477	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:08.755007982 CEST	63785	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.137027979 CEST	53	63785	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.138333082 CEST	59618	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.148044109 CEST	53	59618	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.148946047 CEST	64235	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.159317017 CEST	53	64235	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.161900997 CEST	58782	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.174053907 CEST	53	58782	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.182653904 CEST	65484	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.193505049 CEST	53	65484	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.194304943 CEST	61332	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.205033064 CEST	53	61332	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.205719948 CEST	61164	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.217638969 CEST	53	61164	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.218358040 CEST	53903	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.229449987 CEST	53	53903	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.230298042 CEST	51339	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:09.650331974 CEST	53	51339	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:09.651259899 CEST	59753	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:10.656595945 CEST	59753	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:10.984312057 CEST	53	59753	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:10.984333992 CEST	53	59753	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.746931076 CEST	54120	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.758243084 CEST	53	54120	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.759210110 CEST	61701	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.923599005 CEST	53	61701	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.924520016 CEST	53867	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.935796976 CEST	53	53867	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.937032938 CEST	59994	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.950258970 CEST	53	59994	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.951244116 CEST	53485	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.962147951 CEST	53	53485	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.963010073 CEST	56773	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.976102114 CEST	53	56773	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.977101088 CEST	55555	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.985924006 CEST	53	55555	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.986973047 CEST	54646	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:11.998321056 CEST	53	54646	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:11.999177933 CEST	50275	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.010941982 CEST	53	50275	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.011706114 CEST	50732	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.022568941 CEST	53	50732	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.023710012 CEST	61956	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.266926050 CEST	53	61956	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.267842054 CEST	51428	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.433532953 CEST	53	51428	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.434365988 CEST	61282	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.445215940 CEST	53	61282	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.446016073 CEST	54711	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.456923008 CEST	53	54711	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.457683086 CEST	60374	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.707465887 CEST	53	60374	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.708470106 CEST	58551	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.720959902 CEST	53	58551	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.721693039 CEST	51452	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.966407061 CEST	53	51452	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.967549086 CEST	57288	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:12.978590965 CEST	53	57288	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:12.979518890 CEST	62311	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:13.170535088 CEST	53	62311	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:13.947841883 CEST	53228	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:13.958558083 CEST	53	53228	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:13.966900110 CEST	61227	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:14.219438076 CEST	53	61227	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:14.221539974 CEST	59377	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:14.231827974 CEST	53	59377	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:14.232577085 CEST	51744	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:14.487895012 CEST	53	51744	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:14.488934040 CEST	61094	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:14.501066923 CEST	53	61094	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:14.501771927 CEST	53915	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:14.745045900 CEST	53	53915	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:14.746081114 CEST	51484	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:14.758243084 CEST	53	51484	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:14.759401083 CEST	63725	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:14.771692038 CEST	53	63725	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:14.772619009 CEST	49329	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:15.015778065 CEST	53	49329	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:15.017370939 CEST	62483	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:15.029992104 CEST	53	62483	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:15.545840979 CEST	58661	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:15.557074070 CEST	53	58661	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:15.557965040 CEST	65504	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:15.569936037 CEST	53	65504	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:15.570674896 CEST	57836	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:15.821790934 CEST	53	57836	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:15.823009968 CEST	53780	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:15.989303112 CEST	53	53780	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:15.990343094 CEST	50771	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:16.001560926 CEST	53	50771	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:16.002454042 CEST	56196	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:16.013400078 CEST	53	56196	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:16.014286995 CEST	62614	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:16.266304016 CEST	53	62614	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:16.267287970 CEST	58516	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:16.723171949 CEST	53	58516	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.215126991 CEST	53261	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.225441933 CEST	53	53261	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.226217985 CEST	58181	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.238430023 CEST	53	58181	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.239258051 CEST	63522	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.249182940 CEST	53	63522	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.249949932 CEST	60882	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.267744064 CEST	53	60882	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.268583059 CEST	53372	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.280169010 CEST	53	53372	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.281032085 CEST	53835	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.530540943 CEST	53	53835	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.531606913 CEST	59613	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.544811010 CEST	53	59613	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.545734882 CEST	50372	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.557107925 CEST	53	50372	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.557972908 CEST	60525	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:17.807112932 CEST	53	60525	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:17.808018923 CEST	51190	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.051311970 CEST	53	51190	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.052470922 CEST	54721	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.295154095 CEST	53	54721	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.296248913 CEST	62461	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.306874990 CEST	53	62461	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.308192015 CEST	53767	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.318855047 CEST	53	53767	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.321122885 CEST	51540	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.561886072 CEST	53	51540	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.562916994 CEST	63359	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.573410034 CEST	53	63359	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.574088097 CEST	65222	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.584362030 CEST	53	65222	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.585004091 CEST	49270	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.594999075 CEST	53	49270	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.595588923 CEST	64981	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.606939077 CEST	53	64981	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.607501984 CEST	53885	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.618376017 CEST	53	53885	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.618956089 CEST	59684	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.629687071 CEST	53	59684	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.630228043 CEST	53915	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.641130924 CEST	53	53915	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.641748905 CEST	53522	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.652705908 CEST	53	53522	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.653347969 CEST	61031	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.664110899 CEST	53	61031	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.664727926 CEST	56766	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.674818039 CEST	53	56766	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.675411940 CEST	53975	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:18.925134897 CEST	53	53975	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:18.926172972 CEST	56912	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:19.167649984 CEST	53	56912	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:19.168669939 CEST	62613	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:19.201889038 CEST	53	62613	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:19.844845057 CEST	54070	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:19.855760098 CEST	53	54070	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:19.858544111 CEST	50956	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:19.867927074 CEST	53	50956	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:20.381906986 CEST	49333	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:20.624916077 CEST	53	49333	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:20.626261950 CEST	63734	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:20.875731945 CEST	53	63734	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:20.880215883 CEST	49654	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:21.131767035 CEST	53	49654	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:21.132921934 CEST	61157	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:21.144817114 CEST	53	61157	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:21.145684958 CEST	56716	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:21.395152092 CEST	53	56716	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:21.396131039 CEST	64092	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:21.411504030 CEST	53	64092	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:21.413428068 CEST	65475	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:21.427007914 CEST	53	65475	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:21.427905083 CEST	56094	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:21.438431025 CEST	53	56094	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:21.439368010 CEST	52382	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:21.689698935 CEST	53	52382	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:21.690788031 CEST	56094	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:22.178817987 CEST	53	56094	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:22.179846048 CEST	62757	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:22.191232920 CEST	53	62757	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:22.192302942 CEST	64386	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:22.434514999 CEST	53	64386	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:22.435436010 CEST	60782	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:22.447223902 CEST	53	60782	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:22.447968006 CEST	57867	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:22.460253954 CEST	53	57867	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:22.460942030 CEST	64108	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:22.705440998 CEST	53	64108	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:22.706429958 CEST	56490	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:22.964427948 CEST	53	56490	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:23.485728025 CEST	57186	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:23.733464003 CEST	53	57186	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:23.734543085 CEST	57574	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:23.744991064 CEST	53	57574	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:23.745800018 CEST	56599	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:23.759248018 CEST	53	56599	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:23.759983063 CEST	63047	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:23.772066116 CEST	53	63047	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:23.772779942 CEST	56837	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:23.807327032 CEST	53	56837	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:24.427989960 CEST	60591	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:24.602765083 CEST	53	60591	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:25.244570017 CEST	63037	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:25.254368067 CEST	53	63037	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:25.255331039 CEST	55915	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:25.499044895 CEST	53	55915	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:25.500210047 CEST	52356	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:25.596424103 CEST	53	52356	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.339097023 CEST	57923	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.349932909 CEST	53	57923	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.351042986 CEST	56762	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.362919092 CEST	53	56762	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.363776922 CEST	60417	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.603879929 CEST	53	60417	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.604753017 CEST	52134	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.847558022 CEST	53	52134	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.848715067 CEST	55855	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.862624884 CEST	53	55855	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.863360882 CEST	58207	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.871279955 CEST	53	58207	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.872020006 CEST	56124	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.885158062 CEST	53	56124	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.885767937 CEST	63794	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.896200895 CEST	53	63794	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.896840096 CEST	61045	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.913167000 CEST	53	61045	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.913857937 CEST	63709	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.925261974 CEST	53	63709	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.926032066 CEST	56802	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.939064980 CEST	53	56802	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.939829111 CEST	50927	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.950956106 CEST	53	50927	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.951847076 CEST	50129	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:26.991031885 CEST	53	50129	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:26.992214918 CEST	50124	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:27.235472918 CEST	53	50124	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:27.236715078 CEST	62099	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:27.248698950 CEST	53	62099	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:27.249437094 CEST	61589	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:27.260973930 CEST	53	61589	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:27.261852980 CEST	50753	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:27.273179054 CEST	53	50753	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:27.274288893 CEST	58447	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:27.289246082 CEST	53	58447	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:27.952100992 CEST	59936	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.197757006 CEST	53	59936	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.198993921 CEST	62766	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.450350046 CEST	53	62766	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.451400042 CEST	61055	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.462909937 CEST	53	61055	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.463675022 CEST	63534	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.475003004 CEST	53	63534	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.475723028 CEST	52131	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.486460924 CEST	53	52131	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.487063885 CEST	62766	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.497008085 CEST	53	62766	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.497598886 CEST	51989	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.741091967 CEST	53	51989	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.742126942 CEST	51477	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:28.754682064 CEST	53	51477	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:28.755708933 CEST	56447	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:29.274082899 CEST	53	56447	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:29.275326014 CEST	63538	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:29.289019108 CEST	53	63538	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:29.289943933 CEST	57628	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:29.532686949 CEST	53	57628	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:29.533618927 CEST	49918	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:29.776072025 CEST	53	49918	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:29.777103901 CEST	52024	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:30.116986990 CEST	53	52024	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:30.587083101 CEST	57198	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:30.599284887 CEST	53	57198	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:30.600223064 CEST	55495	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:30.842122078 CEST	53	55495	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:30.843055964 CEST	65163	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:30.861856937 CEST	53	65163	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:30.862859011 CEST	56791	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:30.875878096 CEST	53	56791	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:30.876879930 CEST	63412	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:30.887962103 CEST	53	63412	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:30.888780117 CEST	61359	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:31.129909992 CEST	53	61359	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:31.130997896 CEST	65109	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:31.271533012 CEST	53	65109	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:31.936688900 CEST	61245	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:31.947421074 CEST	53	61245	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:31.948285103 CEST	63184	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:31.961842060 CEST	53	63184	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:31.962630033 CEST	65367	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:31.979315996 CEST	53	65367	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:31.980137110 CEST	59701	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:31:31.991684914 CEST	53	59701	1.1.1.1	192.168.2.10
Aug 5, 2024 16:31:46.898359060 CEST	53	54156	162.159.36.2	192.168.2.10
Aug 5, 2024 16:31:47.486059904 CEST	53	61311	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:21.742342949 CEST	53374	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.033854008 CEST	53	53374	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.035722017 CEST	59680	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.053932905 CEST	53	59680	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.054742098 CEST	62704	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.067715883 CEST	53	62704	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.068382025 CEST	61384	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.080652952 CEST	53	61384	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.081398010 CEST	51574	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.089755058 CEST	53	51574	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.090291977 CEST	50791	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.334707975 CEST	53	50791	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.335807085 CEST	65306	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.348012924 CEST	53	65306	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.349045992 CEST	52057	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.514712095 CEST	53	52057	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:22.515654087 CEST	65242	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:22.757802010 CEST	53	65242	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.186590910 CEST	60463	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.197201014 CEST	53	60463	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.198005915 CEST	50678	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.448008060 CEST	53	50678	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.449012995 CEST	51108	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.462788105 CEST	53	51108	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.463592052 CEST	50382	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.474508047 CEST	53	50382	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.475159883 CEST	64827	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.488100052 CEST	53	64827	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.488740921 CEST	49983	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.499778032 CEST	53	49983	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.500358105 CEST	54428	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.510442019 CEST	53	54428	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.510942936 CEST	59782	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.522083998 CEST	53	59782	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.522806883 CEST	58815	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:24.765403032 CEST	53	58815	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:24.767987013 CEST	65466	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.017735958 CEST	53	65466	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.018646002 CEST	57883	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.172645092 CEST	53	57883	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.174038887 CEST	62795	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.424228907 CEST	53	62795	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.425216913 CEST	51234	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.668515921 CEST	53	51234	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.669785023 CEST	56488	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.683319092 CEST	53	56488	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.683900118 CEST	58330	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.698292971 CEST	53	58330	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.699079990 CEST	57453	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.710163116 CEST	53	57453	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.710776091 CEST	49409	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.953505039 CEST	53	49409	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.954510927 CEST	50456	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:25.966516972 CEST	53	50456	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:25.967155933 CEST	65272	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:26.218379974 CEST	53	65272	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:26.219305038 CEST	58723	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:26.230578899 CEST	53	58723	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:26.231472015 CEST	59555	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:26.474489927 CEST	53	59555	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:26.475570917 CEST	60044	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:26.717175961 CEST	53	60044	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:26.718117952 CEST	61514	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:26.729314089 CEST	53	61514	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:26.730200052 CEST	59132	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:26.743012905 CEST	53	59132	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:26.743777037 CEST	49692	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:27.232798100 CEST	53	49692	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:27.233656883 CEST	52922	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:27.775676966 CEST	53	52922	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:28.652646065 CEST	55410	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:28.663933992 CEST	53	55410	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:28.664877892 CEST	54156	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:28.675689936 CEST	53	54156	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:28.676579952 CEST	59053	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:28.691517115 CEST	53	59053	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:28.692285061 CEST	56657	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:28.706552029 CEST	53	56657	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:28.707367897 CEST	60294	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:28.868716002 CEST	53	60294	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:28.869724035 CEST	55296	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:28.879950047 CEST	53	55296	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:28.880810976 CEST	60230	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.122548103 CEST	53	60230	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.123446941 CEST	52413	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.365197897 CEST	53	52413	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.366215944 CEST	65413	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.378705025 CEST	53	65413	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.379504919 CEST	55191	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.391655922 CEST	53	55191	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.392272949 CEST	53993	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.400578976 CEST	53	53993	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.401128054 CEST	53119	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.418683052 CEST	53	53119	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.419442892 CEST	61545	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.660914898 CEST	53	61545	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.661899090 CEST	50580	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.672277927 CEST	53	50580	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.672961950 CEST	61192	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.685389042 CEST	53	61192	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.689735889 CEST	54700	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.701284885 CEST	53	54700	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.702090025 CEST	58882	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:29.713119030 CEST	53	58882	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:29.713802099 CEST	51422	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:30.712255955 CEST	51422	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:30.907732964 CEST	53	51422	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:30.917253971 CEST	53	51422	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:32.049957991 CEST	61792	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:32.062247992 CEST	53	61792	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:32.063163996 CEST	62699	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:32.075095892 CEST	53	62699	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:32.075927019 CEST	57756	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:32.317081928 CEST	53	57756	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:32.318088055 CEST	64442	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:32.570079088 CEST	53	64442	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:32.570909023 CEST	58016	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:33.075577021 CEST	53	58016	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:33.076587915 CEST	52285	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:33.318655968 CEST	53	52285	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:33.319762945 CEST	60176	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:33.331310034 CEST	53	60176	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:33.332036018 CEST	52659	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:33.342911959 CEST	53	52659	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:33.343517065 CEST	54096	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:33.585846901 CEST	53	54096	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:34.076934099 CEST	60594	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:34.088249922 CEST	53	60594	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:34.088907003 CEST	62263	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:34.100713968 CEST	53	62263	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:34.101521969 CEST	64965	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:34.112740040 CEST	53	64965	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:34.113399982 CEST	56394	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:34.124320984 CEST	53	56394	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:34.125329018 CEST	64766	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:34.288577080 CEST	53	64766	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:34.289629936 CEST	49171	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:34.530987978 CEST	53	49171	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:34.532275915 CEST	61048	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:34.543565989 CEST	53	61048	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.084992886 CEST	59498	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.095653057 CEST	53	59498	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.096298933 CEST	55568	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.110565901 CEST	53	55568	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.111236095 CEST	63462	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.127053022 CEST	53	63462	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.127685070 CEST	51938	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.288882017 CEST	53	51938	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.289947033 CEST	55134	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.301291943 CEST	53	55134	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.301923990 CEST	53017	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.312129021 CEST	53	53017	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.312930107 CEST	63351	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.554799080 CEST	53	63351	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.558506966 CEST	58843	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.570971966 CEST	53	58843	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.571660995 CEST	61304	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:36.581650019 CEST	53	61304	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:36.582168102 CEST	50293	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.001276970 CEST	53	50293	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.002304077 CEST	51638	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.014401913 CEST	53	51638	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.014929056 CEST	55378	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.027705908 CEST	53	55378	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.028310061 CEST	62847	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.038834095 CEST	53	62847	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.039449930 CEST	57462	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.478445053 CEST	53	57462	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.479446888 CEST	56134	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.722038031 CEST	53	56134	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.723129988 CEST	65197	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.734090090 CEST	53	65197	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.734934092 CEST	59049	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.985590935 CEST	53	59049	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.986679077 CEST	62963	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:37.997615099 CEST	53	62963	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:37.998461008 CEST	65208	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.008923054 CEST	53	65208	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:38.009851933 CEST	53703	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.020234108 CEST	53	53703	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:38.020961046 CEST	51429	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.032732010 CEST	53	51429	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:38.033447981 CEST	50683	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.043525934 CEST	53	50683	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:38.044270039 CEST	52979	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.054968119 CEST	53	52979	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:38.055701971 CEST	51053	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.297880888 CEST	53	51053	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:38.305075884 CEST	58702	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.554692030 CEST	53	58702	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:38.555934906 CEST	58017	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:38.567215919 CEST	53	58017	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:39.217190981 CEST	55381	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:39.228540897 CEST	53	55381	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:39.693505049 CEST	63632	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.100369930 CEST	53	63632	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.101309061 CEST	63625	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.112272978 CEST	53	63625	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.113485098 CEST	58225	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.366164923 CEST	53	58225	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.371021986 CEST	61130	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.382249117 CEST	53	61130	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.383068085 CEST	58594	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.625628948 CEST	53	58594	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.626787901 CEST	54546	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.638185024 CEST	53	54546	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.639264107 CEST	50202	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.881513119 CEST	53	50202	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.882358074 CEST	64853	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.892966032 CEST	53	64853	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.894454956 CEST	57281	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.906224012 CEST	53	57281	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.907175064 CEST	61758	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.918932915 CEST	53	61758	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.919703960 CEST	62408	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.932379007 CEST	53	62408	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.933425903 CEST	55422	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.950762033 CEST	53	55422	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.951628923 CEST	56653	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:40.961971998 CEST	53	56653	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:40.962682962 CEST	64703	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:41.203352928 CEST	53	64703	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:41.204370022 CEST	64818	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:41.215627909 CEST	53	64818	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:41.717185020 CEST	53039	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:41.728296041 CEST	53	53039	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:41.729144096 CEST	59510	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:41.740360975 CEST	53	59510	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:41.740993977 CEST	53531	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:41.981301069 CEST	53	53531	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:41.982271910 CEST	50692	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:41.992810011 CEST	53	50692	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:43.908318043 CEST	57961	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:43.919918060 CEST	53	57961	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:43.920840025 CEST	58768	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:43.931905985 CEST	53	58768	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:44.784192085 CEST	63444	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:44.794243097 CEST	53	63444	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:44.795068979 CEST	49785	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:44.806416988 CEST	53	49785	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:44.807228088 CEST	63803	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:44.819499016 CEST	53	63803	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:44.820108891 CEST	54943	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:44.829854965 CEST	53	54943	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:44.830421925 CEST	60449	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:44.840949059 CEST	53	60449	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:44.841397047 CEST	63947	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.082494974 CEST	53	63947	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.083591938 CEST	51505	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.094079971 CEST	53	51505	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.094821930 CEST	50204	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.338329077 CEST	53	50204	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.339423895 CEST	49312	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.350200891 CEST	53	49312	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.351133108 CEST	54345	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.362163067 CEST	53	54345	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.362987995 CEST	61703	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.532459021 CEST	53	61703	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.533665895 CEST	55524	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.777915001 CEST	53	55524	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.779071093 CEST	54226	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:45.814073086 CEST	53	54226	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:45.815004110 CEST	64973	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:46.057610035 CEST	53	64973	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:46.058651924 CEST	50081	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:46.077265024 CEST	53	50081	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:46.078293085 CEST	54821	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:46.088011980 CEST	53	54821	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:46.088753939 CEST	50002	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:46.328686953 CEST	53	50002	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:46.998140097 CEST	52735	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:47.240871906 CEST	53	52735	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:47.241785049 CEST	63435	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:47.254311085 CEST	53	63435	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:47.255152941 CEST	60297	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:47.266391993 CEST	53	60297	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:47.267287970 CEST	59219	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:47.512999058 CEST	53	59219	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:47.514270067 CEST	58866	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:47.757431984 CEST	53	58866	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:47.758739948 CEST	63346	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:48.012943983 CEST	53	63346	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:48.031780958 CEST	59788	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:48.284079075 CEST	53	59788	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:48.285063982 CEST	56177	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:48.295645952 CEST	53	56177	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:48.296413898 CEST	52912	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:48.307679892 CEST	53	52912	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:48.308526993 CEST	60559	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:48.320211887 CEST	53	60559	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:48.321218014 CEST	59561	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:48.572201967 CEST	53	59561	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:48.573508024 CEST	57647	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:48.588815928 CEST	53	57647	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:49.099983931 CEST	52260	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:49.342328072 CEST	53	52260	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:49.343247890 CEST	63173	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:49.354818106 CEST	53	63173	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:49.355525017 CEST	65443	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:49.366461039 CEST	53	65443	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:49.367110968 CEST	60260	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:49.379550934 CEST	53	60260	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:49.380302906 CEST	60075	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:49.392680883 CEST	53	60075	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:49.393454075 CEST	51995	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:49.633491039 CEST	53	51995	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:50.356137037 CEST	60397	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:50.381472111 CEST	53	60397	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:50.390471935 CEST	62520	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:50.401840925 CEST	53	62520	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:50.411632061 CEST	54529	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:50.423181057 CEST	53	54529	1.1.1.1	192.168.2.10
Aug 5, 2024 16:32:50.487083912 CEST	55281	53	192.168.2.10	1.1.1.1
Aug 5, 2024 16:32:50.502015114 CEST	53	55281	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Aug 5, 2024 16:31:02.882504940 CEST	192.168.2.10	1.1.1.1	0xcdf9	Standard query (0)	smokeclear.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.127038956 CEST	192.168.2.10	1.1.1.1	0x9076	Standard query (0)	womangeneral.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.369817972 CEST	192.168.2.10	1.1.1.1	0xb4ff	Standard query (0)	smokegeneral.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.620843887 CEST	192.168.2.10	1.1.1.1	0xb8e8	Standard query (0)	womaninclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.633685112 CEST	192.168.2.10	1.1.1.1	0x45b1	Standard query (0)	smokeinclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.645592928 CEST	192.168.2.10	1.1.1.1	0x91f0	Standard query (0)	womannorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.898564100 CEST	192.168.2.10	1.1.1.1	0x9dc3	Standard query (0)	smokenorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.915992975 CEST	192.168.2.10	1.1.1.1	0xfb50	Standard query (0)	partyclear.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.931103945 CEST	192.168.2.10	1.1.1.1	0x5d33	Standard query (0)	fightclear.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:04.177119970 CEST	192.168.2.10	1.1.1.1	0x7504	Standard query (0)	partygeneral.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.014672041 CEST	192.168.2.10	1.1.1.1	0x1c2b	Standard query (0)	fightgeneral.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.028759956 CEST	192.168.2.10	1.1.1.1	0x4706	Standard query (0)	partyinclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.041120052 CEST	192.168.2.10	1.1.1.1	0xdb65	Standard query (0)	fightinclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.053561926 CEST	192.168.2.10	1.1.1.1	0x2ec2	Standard query (0)	partynorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.066418886 CEST	192.168.2.10	1.1.1.1	0xa040	Standard query (0)	fightnorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.078897953 CEST	192.168.2.10	1.1.1.1	0xa1d7	Standard query (0)	freshbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.092212915 CEST	192.168.2.10	1.1.1.1	0xadee	Standard query (0)	experiencebranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.107326984 CEST	192.168.2.10	1.1.1.1	0x950c	Standard query (0)	freshbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.157839060 CEST	192.168.2.10	1.1.1.1	0x7acf	Standard query (0)	experiencebelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.176866055 CEST	192.168.2.10	1.1.1.1	0x56f7	Standard query (0)	freshreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.199841022 CEST	192.168.2.10	1.1.1.1	0x66e8	Standard query (0)	experiencereceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.214617968 CEST	192.168.2.10	1.1.1.1	0x548	Standard query (0)	freshquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.457214117 CEST	192.168.2.10	1.1.1.1	0xd2df	Standard query (0)	experiencequarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.469610929 CEST	192.168.2.10	1.1.1.1	0x8a17	Standard query (0)	gentlemanbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.484849930 CEST	192.168.2.10	1.1.1.1	0xc484	Standard query (0)	alreadybranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.497895956 CEST	192.168.2.10	1.1.1.1	0x9d71	Standard query (0)	gentlemanbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.743220091 CEST	192.168.2.10	1.1.1.1	0xe2c8	Standard query (0)	alreadybelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.755007982 CEST	192.168.2.10	1.1.1.1	0x1c1e	Standard query (0)	gentlemanreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.138333082 CEST	192.168.2.10	1.1.1.1	0x78f4	Standard query (0)	alreadyreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.148946047 CEST	192.168.2.10	1.1.1.1	0x7d4f	Standard query (0)	gentlemanquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.161900997 CEST	192.168.2.10	1.1.1.1	0xa6b9	Standard query (0)	alreadyquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.182653904 CEST	192.168.2.10	1.1.1.1	0x8705	Standard query (0)	followbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.194304943 CEST	192.168.2.10	1.1.1.1	0x5de0	Standard query (0)	memberbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.205719948 CEST	192.168.2.10	1.1.1.1	0x39f8	Standard query (0)	followbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.218358040 CEST	192.168.2.10	1.1.1.1	0xb8d3	Standard query (0)	memberbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.230298042 CEST	192.168.2.10	1.1.1.1	0x4c9e	Standard query (0)	followreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.651259899 CEST	192.168.2.10	1.1.1.1	0xa3de	Standard query (0)	memberreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:10.656595945 CEST	192.168.2.10	1.1.1.1	0xa3de	Standard query (0)	memberreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.746931076 CEST	192.168.2.10	1.1.1.1	0xf426	Standard query (0)	followquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.759210110 CEST	192.168.2.10	1.1.1.1	0x2727	Standard query (0)	memberquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.924520016 CEST	192.168.2.10	1.1.1.1	0xe10	Standard query (0)	beginbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.937032938 CEST	192.168.2.10	1.1.1.1	0x7053	Standard query (0)	knownbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.951244116 CEST	192.168.2.10	1.1.1.1	0xe042	Standard query (0)	beginbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.963010073 CEST	192.168.2.10	1.1.1.1	0x137f	Standard query (0)	knownbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.977101088 CEST	192.168.2.10	1.1.1.1	0xb1b9	Standard query (0)	beginreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.986973047 CEST	192.168.2.10	1.1.1.1	0x34a	Standard query (0)	knownreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.999177933 CEST	192.168.2.10	1.1.1.1	0x23a3	Standard query (0)	beginquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.011706114 CEST	192.168.2.10	1.1.1.1	0x10c5	Standard query (0)	knownquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.023710012 CEST	192.168.2.10	1.1.1.1	0xe434	Standard query (0)	summerbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.267842054 CEST	192.168.2.10	1.1.1.1	0xb597	Standard query (0)	crowdbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.434365988 CEST	192.168.2.10	1.1.1.1	0xd	Standard query (0)	summerbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.446016073 CEST	192.168.2.10	1.1.1.1	0xf72	Standard query (0)	crowdbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.457683086 CEST	192.168.2.10	1.1.1.1	0xa75	Standard query (0)	summerreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.708470106 CEST	192.168.2.10	1.1.1.1	0x219	Standard query (0)	crowdreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.721693039 CEST	192.168.2.10	1.1.1.1	0x6e4	Standard query (0)	summerquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.967549086 CEST	192.168.2.10	1.1.1.1	0xe28e	Standard query (0)	crowdquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.979518890 CEST	192.168.2.10	1.1.1.1	0x53a8	Standard query (0)	thoughtbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:13.947841883 CEST	192.168.2.10	1.1.1.1	0x7a73	Standard query (0)	waterbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:13.966900110 CEST	192.168.2.10	1.1.1.1	0xe6e7	Standard query (0)	thoughtbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.221539974 CEST	192.168.2.10	1.1.1.1	0x79cd	Standard query (0)	waterbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.232577085 CEST	192.168.2.10	1.1.1.1	0xef7b	Standard query (0)	thoughtreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.488934040 CEST	192.168.2.10	1.1.1.1	0xb732	Standard query (0)	waterreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.501771927 CEST	192.168.2.10	1.1.1.1	0xab4e	Standard query (0)	thoughtquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.746081114 CEST	192.168.2.10	1.1.1.1	0xd17d	Standard query (0)	waterquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.759401083 CEST	192.168.2.10	1.1.1.1	0xfc3c	Standard query (0)	womanbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.772619009 CEST	192.168.2.10	1.1.1.1	0x52ca	Standard query (0)	smokebranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.017370939 CEST	192.168.2.10	1.1.1.1	0x8000	Standard query (0)	womanbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.545840979 CEST	192.168.2.10	1.1.1.1	0x23be	Standard query (0)	smokebelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.557965040 CEST	192.168.2.10	1.1.1.1	0xf482	Standard query (0)	womanreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.570674896 CEST	192.168.2.10	1.1.1.1	0xbdee	Standard query (0)	smokereceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.823009968 CEST	192.168.2.10	1.1.1.1	0x8f7b	Standard query (0)	womanquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.990343094 CEST	192.168.2.10	1.1.1.1	0x3c5b	Standard query (0)	smokequarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:16.002454042 CEST	192.168.2.10	1.1.1.1	0xd530	Standard query (0)	partybranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:16.014286995 CEST	192.168.2.10	1.1.1.1	0xc3d3	Standard query (0)	fightbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:16.267287970 CEST	192.168.2.10	1.1.1.1	0x8a0	Standard query (0)	partybelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.215126991 CEST	192.168.2.10	1.1.1.1	0x9e1a	Standard query (0)	fightbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.226217985 CEST	192.168.2.10	1.1.1.1	0xd3e5	Standard query (0)	partyreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.239258051 CEST	192.168.2.10	1.1.1.1	0x8052	Standard query (0)	fightreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.249949932 CEST	192.168.2.10	1.1.1.1	0xbc82	Standard query (0)	partyquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.268583059 CEST	192.168.2.10	1.1.1.1	0x97f1	Standard query (0)	fightquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.281032085 CEST	192.168.2.10	1.1.1.1	0x3307	Standard query (0)	freshhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.531606913 CEST	192.168.2.10	1.1.1.1	0x5265	Standard query (0)	experiencehonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.545734882 CEST	192.168.2.10	1.1.1.1	0xd940	Standard query (0)	freshneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.557972908 CEST	192.168.2.10	1.1.1.1	0x27de	Standard query (0)	experienceneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.808018923 CEST	192.168.2.10	1.1.1.1	0x99fd	Standard query (0)	freshsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.052470922 CEST	192.168.2.10	1.1.1.1	0x5349	Standard query (0)	experiencesystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.296248913 CEST	192.168.2.10	1.1.1.1	0xe939	Standard query (0)	freshtrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.308192015 CEST	192.168.2.10	1.1.1.1	0x543c	Standard query (0)	experiencetrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.321122885 CEST	192.168.2.10	1.1.1.1	0xbe88	Standard query (0)	gentlemanhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.562916994 CEST	192.168.2.10	1.1.1.1	0x7d30	Standard query (0)	alreadyhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.574088097 CEST	192.168.2.10	1.1.1.1	0x741a	Standard query (0)	gentlemanneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.585004091 CEST	192.168.2.10	1.1.1.1	0x248b	Standard query (0)	alreadyneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.595588923 CEST	192.168.2.10	1.1.1.1	0xe3c9	Standard query (0)	gentlemansystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.607501984 CEST	192.168.2.10	1.1.1.1	0xb86a	Standard query (0)	alreadysystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.618956089 CEST	192.168.2.10	1.1.1.1	0x9a3	Standard query (0)	gentlemantrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.630228043 CEST	192.168.2.10	1.1.1.1	0xe9f3	Standard query (0)	alreadytrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.641748905 CEST	192.168.2.10	1.1.1.1	0x22d1	Standard query (0)	followhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.653347969 CEST	192.168.2.10	1.1.1.1	0x3b0d	Standard query (0)	memberhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.664727926 CEST	192.168.2.10	1.1.1.1	0x2b1f	Standard query (0)	followneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.675411940 CEST	192.168.2.10	1.1.1.1	0xede9	Standard query (0)	memberneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.926172972 CEST	192.168.2.10	1.1.1.1	0x9e26	Standard query (0)	followsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.168669939 CEST	192.168.2.10	1.1.1.1	0xaa0	Standard query (0)	membersystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.844845057 CEST	192.168.2.10	1.1.1.1	0xc683	Standard query (0)	followtrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.858544111 CEST	192.168.2.10	1.1.1.1	0xeea8	Standard query (0)	membertrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:20.381906986 CEST	192.168.2.10	1.1.1.1	0x9f13	Standard query (0)	beginhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:20.626261950 CEST	192.168.2.10	1.1.1.1	0x367	Standard query (0)	knownhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:20.880215883 CEST	192.168.2.10	1.1.1.1	0xa5bb	Standard query (0)	beginneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.132921934 CEST	192.168.2.10	1.1.1.1	0xa844	Standard query (0)	knownneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.145684958 CEST	192.168.2.10	1.1.1.1	0xd2a0	Standard query (0)	beginsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.396131039 CEST	192.168.2.10	1.1.1.1	0xd80c	Standard query (0)	knownsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.413428068 CEST	192.168.2.10	1.1.1.1	0x67e1	Standard query (0)	begintrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.427905083 CEST	192.168.2.10	1.1.1.1	0x6dc1	Standard query (0)	knowntrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.439368010 CEST	192.168.2.10	1.1.1.1	0x890e	Standard query (0)	summerhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.690788031 CEST	192.168.2.10	1.1.1.1	0x443e	Standard query (0)	crowdhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.179846048 CEST	192.168.2.10	1.1.1.1	0x913f	Standard query (0)	summerneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.192302942 CEST	192.168.2.10	1.1.1.1	0xc9b2	Standard query (0)	crowdneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.435436010 CEST	192.168.2.10	1.1.1.1	0xac25	Standard query (0)	summersystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.447968006 CEST	192.168.2.10	1.1.1.1	0x3d1a	Standard query (0)	crowdsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.460942030 CEST	192.168.2.10	1.1.1.1	0x30a5	Standard query (0)	summertrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.706429958 CEST	192.168.2.10	1.1.1.1	0xadae	Standard query (0)	crowdtrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.485728025 CEST	192.168.2.10	1.1.1.1	0x83d1	Standard query (0)	thoughthonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.734543085 CEST	192.168.2.10	1.1.1.1	0x27e	Standard query (0)	waterhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.745800018 CEST	192.168.2.10	1.1.1.1	0x3aa	Standard query (0)	thoughtneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.759983063 CEST	192.168.2.10	1.1.1.1	0x574c	Standard query (0)	waterneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.772779942 CEST	192.168.2.10	1.1.1.1	0xfc6a	Standard query (0)	thoughtsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:24.427989960 CEST	192.168.2.10	1.1.1.1	0x686	Standard query (0)	watersystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:25.244570017 CEST	192.168.2.10	1.1.1.1	0x52f4	Standard query (0)	thoughttrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:25.255331039 CEST	192.168.2.10	1.1.1.1	0x6c00	Standard query (0)	watertrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:25.500210047 CEST	192.168.2.10	1.1.1.1	0xf0df	Standard query (0)	womanhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.339097023 CEST	192.168.2.10	1.1.1.1	0x577b	Standard query (0)	smokehonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.351042986 CEST	192.168.2.10	1.1.1.1	0x5974	Standard query (0)	womanneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.363776922 CEST	192.168.2.10	1.1.1.1	0xdc5	Standard query (0)	smokeneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.604753017 CEST	192.168.2.10	1.1.1.1	0x8abf	Standard query (0)	womansystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.848715067 CEST	192.168.2.10	1.1.1.1	0x6100	Standard query (0)	smokesystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.863360882 CEST	192.168.2.10	1.1.1.1	0x6a99	Standard query (0)	womantrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.872020006 CEST	192.168.2.10	1.1.1.1	0xec04	Standard query (0)	smoketrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.885767937 CEST	192.168.2.10	1.1.1.1	0x1c3e	Standard query (0)	partyhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.896840096 CEST	192.168.2.10	1.1.1.1	0xef35	Standard query (0)	fighthonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.913857937 CEST	192.168.2.10	1.1.1.1	0x9431	Standard query (0)	partyneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.926032066 CEST	192.168.2.10	1.1.1.1	0x4791	Standard query (0)	fightneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.939829111 CEST	192.168.2.10	1.1.1.1	0xcb55	Standard query (0)	partysystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.951847076 CEST	192.168.2.10	1.1.1.1	0x3c01	Standard query (0)	fightsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.992214918 CEST	192.168.2.10	1.1.1.1	0xa222	Standard query (0)	partytrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.236715078 CEST	192.168.2.10	1.1.1.1	0xb144	Standard query (0)	fighttrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.249437094 CEST	192.168.2.10	1.1.1.1	0xe2aa	Standard query (0)	freshlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.261852980 CEST	192.168.2.10	1.1.1.1	0x993c	Standard query (0)	experiencelaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.274288893 CEST	192.168.2.10	1.1.1.1	0xba37	Standard query (0)	freshfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.952100992 CEST	192.168.2.10	1.1.1.1	0xed28	Standard query (0)	experiencefancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.198993921 CEST	192.168.2.10	1.1.1.1	0x2977	Standard query (0)	freshconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.451400042 CEST	192.168.2.10	1.1.1.1	0x97cc	Standard query (0)	experienceconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.463675022 CEST	192.168.2.10	1.1.1.1	0x5524	Standard query (0)	freshfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.475723028 CEST	192.168.2.10	1.1.1.1	0x9e1a	Standard query (0)	experiencefriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.487063885 CEST	192.168.2.10	1.1.1.1	0xc4c5	Standard query (0)	gentlemanlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.497598886 CEST	192.168.2.10	1.1.1.1	0x92db	Standard query (0)	alreadylaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.742126942 CEST	192.168.2.10	1.1.1.1	0x9448	Standard query (0)	gentlemanfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.755708933 CEST	192.168.2.10	1.1.1.1	0x2379	Standard query (0)	alreadyfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.275326014 CEST	192.168.2.10	1.1.1.1	0xf24f	Standard query (0)	gentlemanconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.289943933 CEST	192.168.2.10	1.1.1.1	0xd1	Standard query (0)	alreadyconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.533618927 CEST	192.168.2.10	1.1.1.1	0xaec	Standard query (0)	gentlemanfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.777103901 CEST	192.168.2.10	1.1.1.1	0xa474	Standard query (0)	alreadyfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.587083101 CEST	192.168.2.10	1.1.1.1	0xaf06	Standard query (0)	followlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.600223064 CEST	192.168.2.10	1.1.1.1	0xc2b9	Standard query (0)	memberlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.843055964 CEST	192.168.2.10	1.1.1.1	0x93e8	Standard query (0)	followfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.862859011 CEST	192.168.2.10	1.1.1.1	0xb04b	Standard query (0)	memberfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.876879930 CEST	192.168.2.10	1.1.1.1	0x2573	Standard query (0)	followconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.888780117 CEST	192.168.2.10	1.1.1.1	0x2ef5	Standard query (0)	memberconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.130997896 CEST	192.168.2.10	1.1.1.1	0x1041	Standard query (0)	followfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.936688900 CEST	192.168.2.10	1.1.1.1	0x5fe2	Standard query (0)	memberfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.948285103 CEST	192.168.2.10	1.1.1.1	0x3dd4	Standard query (0)	beginlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.962630033 CEST	192.168.2.10	1.1.1.1	0x60ba	Standard query (0)	knownlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.980137110 CEST	192.168.2.10	1.1.1.1	0x662e	Standard query (0)	beginfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:21.742342949 CEST	192.168.2.10	1.1.1.1	0x8e2a	Standard query (0)	smokeclear.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.035722017 CEST	192.168.2.10	1.1.1.1	0xe6c3	Standard query (0)	womangeneral.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.054742098 CEST	192.168.2.10	1.1.1.1	0x9b60	Standard query (0)	smokegeneral.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.068382025 CEST	192.168.2.10	1.1.1.1	0x2afe	Standard query (0)	womaninclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.081398010 CEST	192.168.2.10	1.1.1.1	0x14f5	Standard query (0)	smokeinclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.090291977 CEST	192.168.2.10	1.1.1.1	0x3c6e	Standard query (0)	womannorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.335807085 CEST	192.168.2.10	1.1.1.1	0xb756	Standard query (0)	smokenorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.349045992 CEST	192.168.2.10	1.1.1.1	0xccdf	Standard query (0)	partyclear.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.515654087 CEST	192.168.2.10	1.1.1.1	0x7575	Standard query (0)	fightclear.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.186590910 CEST	192.168.2.10	1.1.1.1	0xc625	Standard query (0)	fightgeneral.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.198005915 CEST	192.168.2.10	1.1.1.1	0x5b7b	Standard query (0)	partyinclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.449012995 CEST	192.168.2.10	1.1.1.1	0xc4e	Standard query (0)	fightinclude.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.463592052 CEST	192.168.2.10	1.1.1.1	0xf858	Standard query (0)	partynorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.475159883 CEST	192.168.2.10	1.1.1.1	0xd72e	Standard query (0)	fightnorth.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.488740921 CEST	192.168.2.10	1.1.1.1	0x67d2	Standard query (0)	freshbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.500358105 CEST	192.168.2.10	1.1.1.1	0x41e2	Standard query (0)	experiencebranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.510942936 CEST	192.168.2.10	1.1.1.1	0x590d	Standard query (0)	freshbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.522806883 CEST	192.168.2.10	1.1.1.1	0xfcf8	Standard query (0)	experiencebelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.767987013 CEST	192.168.2.10	1.1.1.1	0xb7e0	Standard query (0)	freshreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.018646002 CEST	192.168.2.10	1.1.1.1	0x55e3	Standard query (0)	experiencereceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.174038887 CEST	192.168.2.10	1.1.1.1	0x804e	Standard query (0)	freshquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.425216913 CEST	192.168.2.10	1.1.1.1	0xce29	Standard query (0)	experiencequarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.669785023 CEST	192.168.2.10	1.1.1.1	0xbe3e	Standard query (0)	gentlemanbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.683900118 CEST	192.168.2.10	1.1.1.1	0xe5c1	Standard query (0)	alreadybranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.699079990 CEST	192.168.2.10	1.1.1.1	0x69f7	Standard query (0)	gentlemanbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.710776091 CEST	192.168.2.10	1.1.1.1	0x3925	Standard query (0)	alreadybelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.954510927 CEST	192.168.2.10	1.1.1.1	0xb02c	Standard query (0)	gentlemanreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.967155933 CEST	192.168.2.10	1.1.1.1	0x957b	Standard query (0)	alreadyreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.219305038 CEST	192.168.2.10	1.1.1.1	0xef94	Standard query (0)	gentlemanquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.231472015 CEST	192.168.2.10	1.1.1.1	0xd4f3	Standard query (0)	alreadyquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.475570917 CEST	192.168.2.10	1.1.1.1	0xf17a	Standard query (0)	followbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.718117952 CEST	192.168.2.10	1.1.1.1	0x1e3f	Standard query (0)	memberbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.730200052 CEST	192.168.2.10	1.1.1.1	0x995d	Standard query (0)	followbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.743777037 CEST	192.168.2.10	1.1.1.1	0x2905	Standard query (0)	memberbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:27.233656883 CEST	192.168.2.10	1.1.1.1	0x6462	Standard query (0)	followreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.652646065 CEST	192.168.2.10	1.1.1.1	0x3a69	Standard query (0)	followquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.664877892 CEST	192.168.2.10	1.1.1.1	0xe88d	Standard query (0)	memberquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.676579952 CEST	192.168.2.10	1.1.1.1	0x4ef8	Standard query (0)	beginbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.692285061 CEST	192.168.2.10	1.1.1.1	0xd007	Standard query (0)	knownbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.707367897 CEST	192.168.2.10	1.1.1.1	0xd0f7	Standard query (0)	beginbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.869724035 CEST	192.168.2.10	1.1.1.1	0x7c98	Standard query (0)	knownbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.880810976 CEST	192.168.2.10	1.1.1.1	0x7d18	Standard query (0)	beginreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.123446941 CEST	192.168.2.10	1.1.1.1	0x9afe	Standard query (0)	knownreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.366215944 CEST	192.168.2.10	1.1.1.1	0x757f	Standard query (0)	beginquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.379504919 CEST	192.168.2.10	1.1.1.1	0xd29c	Standard query (0)	knownquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.392272949 CEST	192.168.2.10	1.1.1.1	0x2441	Standard query (0)	summerbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.401128054 CEST	192.168.2.10	1.1.1.1	0x5e6	Standard query (0)	crowdbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.419442892 CEST	192.168.2.10	1.1.1.1	0x573	Standard query (0)	summerbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.661899090 CEST	192.168.2.10	1.1.1.1	0x6db4	Standard query (0)	crowdbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.672961950 CEST	192.168.2.10	1.1.1.1	0xaae2	Standard query (0)	summerreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.689735889 CEST	192.168.2.10	1.1.1.1	0xf1b3	Standard query (0)	crowdreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.702090025 CEST	192.168.2.10	1.1.1.1	0x51cc	Standard query (0)	summerquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.713802099 CEST	192.168.2.10	1.1.1.1	0xc1fa	Standard query (0)	crowdquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:30.712255955 CEST	192.168.2.10	1.1.1.1	0xc1fa	Standard query (0)	crowdquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.049957991 CEST	192.168.2.10	1.1.1.1	0x761d	Standard query (0)	waterbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.063163996 CEST	192.168.2.10	1.1.1.1	0xf2aa	Standard query (0)	thoughtbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.075927019 CEST	192.168.2.10	1.1.1.1	0x8c70	Standard query (0)	waterbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.318088055 CEST	192.168.2.10	1.1.1.1	0x7457	Standard query (0)	thoughtreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.570909023 CEST	192.168.2.10	1.1.1.1	0xf617	Standard query (0)	waterreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.076587915 CEST	192.168.2.10	1.1.1.1	0xb53	Standard query (0)	thoughtquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.319762945 CEST	192.168.2.10	1.1.1.1	0xf050	Standard query (0)	waterquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.332036018 CEST	192.168.2.10	1.1.1.1	0x3733	Standard query (0)	womanbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.343517065 CEST	192.168.2.10	1.1.1.1	0x549	Standard query (0)	smokebranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.076934099 CEST	192.168.2.10	1.1.1.1	0xe3ec	Standard query (0)	smokebelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.088907003 CEST	192.168.2.10	1.1.1.1	0x1465	Standard query (0)	womanreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.101521969 CEST	192.168.2.10	1.1.1.1	0x9c21	Standard query (0)	smokereceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.113399982 CEST	192.168.2.10	1.1.1.1	0xe66b	Standard query (0)	womanquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.125329018 CEST	192.168.2.10	1.1.1.1	0x5049	Standard query (0)	smokequarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.289629936 CEST	192.168.2.10	1.1.1.1	0x801f	Standard query (0)	partybranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.532275915 CEST	192.168.2.10	1.1.1.1	0xf0d2	Standard query (0)	fightbranch.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.084992886 CEST	192.168.2.10	1.1.1.1	0xc6dd	Standard query (0)	fightbelieve.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.096298933 CEST	192.168.2.10	1.1.1.1	0x42ad	Standard query (0)	partyreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.111236095 CEST	192.168.2.10	1.1.1.1	0x1c80	Standard query (0)	fightreceive.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.127685070 CEST	192.168.2.10	1.1.1.1	0x4392	Standard query (0)	partyquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.289947033 CEST	192.168.2.10	1.1.1.1	0x21f1	Standard query (0)	fightquarter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.301923990 CEST	192.168.2.10	1.1.1.1	0x4574	Standard query (0)	freshhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.312930107 CEST	192.168.2.10	1.1.1.1	0x2142	Standard query (0)	experiencehonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.558506966 CEST	192.168.2.10	1.1.1.1	0x96a	Standard query (0)	freshneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.571660995 CEST	192.168.2.10	1.1.1.1	0x89cb	Standard query (0)	experienceneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.582168102 CEST	192.168.2.10	1.1.1.1	0xc506	Standard query (0)	freshsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.002304077 CEST	192.168.2.10	1.1.1.1	0xbbda	Standard query (0)	experiencesystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.014929056 CEST	192.168.2.10	1.1.1.1	0x785b	Standard query (0)	freshtrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.028310061 CEST	192.168.2.10	1.1.1.1	0xaa07	Standard query (0)	experiencetrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.039449930 CEST	192.168.2.10	1.1.1.1	0x1bf3	Standard query (0)	gentlemanhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.479446888 CEST	192.168.2.10	1.1.1.1	0x16a4	Standard query (0)	alreadyhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.723129988 CEST	192.168.2.10	1.1.1.1	0xbbbf	Standard query (0)	gentlemanneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.734934092 CEST	192.168.2.10	1.1.1.1	0x578b	Standard query (0)	alreadyneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.986679077 CEST	192.168.2.10	1.1.1.1	0x336f	Standard query (0)	gentlemansystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.998461008 CEST	192.168.2.10	1.1.1.1	0xdfd7	Standard query (0)	alreadysystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.009851933 CEST	192.168.2.10	1.1.1.1	0xdaaa	Standard query (0)	gentlemantrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.020961046 CEST	192.168.2.10	1.1.1.1	0xc24	Standard query (0)	alreadytrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.033447981 CEST	192.168.2.10	1.1.1.1	0xa4e6	Standard query (0)	followhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.044270039 CEST	192.168.2.10	1.1.1.1	0x8227	Standard query (0)	memberhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.055701971 CEST	192.168.2.10	1.1.1.1	0xd5d7	Standard query (0)	followneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.305075884 CEST	192.168.2.10	1.1.1.1	0xe72e	Standard query (0)	memberneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.555934906 CEST	192.168.2.10	1.1.1.1	0x8a41	Standard query (0)	followsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:39.217190981 CEST	192.168.2.10	1.1.1.1	0x32d8	Standard query (0)	followtrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:39.693505049 CEST	192.168.2.10	1.1.1.1	0x8db3	Standard query (0)	beginhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.101309061 CEST	192.168.2.10	1.1.1.1	0xf3c1	Standard query (0)	knownhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.113485098 CEST	192.168.2.10	1.1.1.1	0x603e	Standard query (0)	beginneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.371021986 CEST	192.168.2.10	1.1.1.1	0xd6a2	Standard query (0)	knownneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.383068085 CEST	192.168.2.10	1.1.1.1	0x2f7b	Standard query (0)	beginsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.626787901 CEST	192.168.2.10	1.1.1.1	0x26b1	Standard query (0)	knownsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.639264107 CEST	192.168.2.10	1.1.1.1	0xa483	Standard query (0)	begintrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.882358074 CEST	192.168.2.10	1.1.1.1	0xce68	Standard query (0)	knowntrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.894454956 CEST	192.168.2.10	1.1.1.1	0x2f1	Standard query (0)	summerhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.907175064 CEST	192.168.2.10	1.1.1.1	0xb7e1	Standard query (0)	crowdhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.919703960 CEST	192.168.2.10	1.1.1.1	0x9aec	Standard query (0)	summerneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.933425903 CEST	192.168.2.10	1.1.1.1	0xe051	Standard query (0)	crowdneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.951628923 CEST	192.168.2.10	1.1.1.1	0xfe8d	Standard query (0)	summersystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.962682962 CEST	192.168.2.10	1.1.1.1	0x5b9	Standard query (0)	crowdsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.204370022 CEST	192.168.2.10	1.1.1.1	0xc79a	Standard query (0)	summertrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.717185020 CEST	192.168.2.10	1.1.1.1	0xfa34	Standard query (0)	thoughthonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.729144096 CEST	192.168.2.10	1.1.1.1	0x2b94	Standard query (0)	waterhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.740993977 CEST	192.168.2.10	1.1.1.1	0x3018	Standard query (0)	thoughtneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.982271910 CEST	192.168.2.10	1.1.1.1	0xb7e6	Standard query (0)	waterneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:43.908318043 CEST	192.168.2.10	1.1.1.1	0xb21	Standard query (0)	thoughttrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:43.920840025 CEST	192.168.2.10	1.1.1.1	0x2eab	Standard query (0)	watertrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.784192085 CEST	192.168.2.10	1.1.1.1	0x19d2	Standard query (0)	smokehonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.795068979 CEST	192.168.2.10	1.1.1.1	0x51bf	Standard query (0)	womanneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.807228088 CEST	192.168.2.10	1.1.1.1	0x4cee	Standard query (0)	smokeneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.820108891 CEST	192.168.2.10	1.1.1.1	0x3fad	Standard query (0)	womansystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.830421925 CEST	192.168.2.10	1.1.1.1	0x6d9a	Standard query (0)	smokesystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.841397047 CEST	192.168.2.10	1.1.1.1	0x233	Standard query (0)	womantrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.083591938 CEST	192.168.2.10	1.1.1.1	0xfc42	Standard query (0)	smoketrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.094821930 CEST	192.168.2.10	1.1.1.1	0xb8b8	Standard query (0)	partyhonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.339423895 CEST	192.168.2.10	1.1.1.1	0xf8db	Standard query (0)	fighthonor.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.351133108 CEST	192.168.2.10	1.1.1.1	0xdb34	Standard query (0)	partyneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.362987995 CEST	192.168.2.10	1.1.1.1	0xc004	Standard query (0)	fightneither.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.533665895 CEST	192.168.2.10	1.1.1.1	0x98b3	Standard query (0)	partysystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.779071093 CEST	192.168.2.10	1.1.1.1	0xc12a	Standard query (0)	fightsystem.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.815004110 CEST	192.168.2.10	1.1.1.1	0xdc2b	Standard query (0)	partytrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.058651924 CEST	192.168.2.10	1.1.1.1	0x83cf	Standard query (0)	fighttrust.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.078293085 CEST	192.168.2.10	1.1.1.1	0xc7b4	Standard query (0)	freshlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.088753939 CEST	192.168.2.10	1.1.1.1	0xd54	Standard query (0)	experiencelaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.998140097 CEST	192.168.2.10	1.1.1.1	0x3e71	Standard query (0)	experiencefancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.241785049 CEST	192.168.2.10	1.1.1.1	0x1576	Standard query (0)	freshconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.255152941 CEST	192.168.2.10	1.1.1.1	0xaf56	Standard query (0)	experienceconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.267287970 CEST	192.168.2.10	1.1.1.1	0x7a99	Standard query (0)	freshfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.514270067 CEST	192.168.2.10	1.1.1.1	0xe9d2	Standard query (0)	experiencefriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.758739948 CEST	192.168.2.10	1.1.1.1	0xcaad	Standard query (0)	gentlemanlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.031780958 CEST	192.168.2.10	1.1.1.1	0xf1ea	Standard query (0)	alreadylaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.285063982 CEST	192.168.2.10	1.1.1.1	0xca20	Standard query (0)	gentlemanfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.296413898 CEST	192.168.2.10	1.1.1.1	0x6695	Standard query (0)	alreadyfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.308526993 CEST	192.168.2.10	1.1.1.1	0x3f7b	Standard query (0)	gentlemanconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.321218014 CEST	192.168.2.10	1.1.1.1	0xab43	Standard query (0)	alreadyconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.573508024 CEST	192.168.2.10	1.1.1.1	0xab36	Standard query (0)	gentlemanfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.099983931 CEST	192.168.2.10	1.1.1.1	0x8143	Standard query (0)	followlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.343247890 CEST	192.168.2.10	1.1.1.1	0x2194	Standard query (0)	memberlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.355525017 CEST	192.168.2.10	1.1.1.1	0x6e45	Standard query (0)	followfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.367110968 CEST	192.168.2.10	1.1.1.1	0xa5d6	Standard query (0)	memberfancy.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.380302906 CEST	192.168.2.10	1.1.1.1	0xceba	Standard query (0)	followconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.393454075 CEST	192.168.2.10	1.1.1.1	0x18f3	Standard query (0)	memberconsider.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.356137037 CEST	192.168.2.10	1.1.1.1	0xddeb	Standard query (0)	memberfriend.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.390471935 CEST	192.168.2.10	1.1.1.1	0x486e	Standard query (0)	beginlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.411632061 CEST	192.168.2.10	1.1.1.1	0x9cb4	Standard query (0)	knownlaughter.net	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.487083912 CEST	192.168.2.10	1.1.1.1	0xda	Standard query (0)	beginfancy.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Aug 5, 2024 16:31:03.123699903 CEST	1.1.1.1	192.168.2.10	0xcdf9	Name error (3)	smokeclear.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.368786097 CEST	1.1.1.1	192.168.2.10	0x9076	Name error (3)	womangeneral.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.619467974 CEST	1.1.1.1	192.168.2.10	0xb4ff	Name error (3)	smokegeneral.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.632782936 CEST	1.1.1.1	192.168.2.10	0xb8e8	Name error (3)	womaninclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.644922972 CEST	1.1.1.1	192.168.2.10	0x45b1	Name error (3)	smokeinclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.897247076 CEST	1.1.1.1	192.168.2.10	0x91f0	Name error (3)	womannorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.914211035 CEST	1.1.1.1	192.168.2.10	0x9dc3	Name error (3)	smokenorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:03.929848909 CEST	1.1.1.1	192.168.2.10	0xfb50	Name error (3)	partyclear.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:04.175720930 CEST	1.1.1.1	192.168.2.10	0x5d33	Name error (3)	fightclear.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:04.595024109 CEST	1.1.1.1	192.168.2.10	0x7504	No error (0)	partygeneral.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:04.595024109 CEST	1.1.1.1	192.168.2.10	0x7504	No error (0)	partygeneral.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.027597904 CEST	1.1.1.1	192.168.2.10	0x1c2b	Name error (3)	fightgeneral.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.039952993 CEST	1.1.1.1	192.168.2.10	0x4706	Name error (3)	partyinclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.052355051 CEST	1.1.1.1	192.168.2.10	0xdb65	Name error (3)	fightinclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.065361023 CEST	1.1.1.1	192.168.2.10	0x2ec2	Name error (3)	partynorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.077836990 CEST	1.1.1.1	192.168.2.10	0xa040	Name error (3)	fightnorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.091353893 CEST	1.1.1.1	192.168.2.10	0xa1d7	Name error (3)	freshbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.104657888 CEST	1.1.1.1	192.168.2.10	0xadee	Name error (3)	experiencebranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.121541023 CEST	1.1.1.1	192.168.2.10	0x950c	Name error (3)	freshbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.171524048 CEST	1.1.1.1	192.168.2.10	0x7acf	Name error (3)	experiencebelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.189651966 CEST	1.1.1.1	192.168.2.10	0x56f7	Name error (3)	freshreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.213581085 CEST	1.1.1.1	192.168.2.10	0x66e8	Name error (3)	experiencereceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.456006050 CEST	1.1.1.1	192.168.2.10	0x548	Name error (3)	freshquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.468146086 CEST	1.1.1.1	192.168.2.10	0xd2df	Name error (3)	experiencequarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.481534958 CEST	1.1.1.1	192.168.2.10	0x8a17	Name error (3)	gentlemanbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.496880054 CEST	1.1.1.1	192.168.2.10	0xc484	Name error (3)	alreadybranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.741897106 CEST	1.1.1.1	192.168.2.10	0x9d71	Name error (3)	gentlemanbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:08.754390955 CEST	1.1.1.1	192.168.2.10	0xe2c8	Name error (3)	alreadybelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.137027979 CEST	1.1.1.1	192.168.2.10	0x1c1e	Name error (3)	gentlemanreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.148044109 CEST	1.1.1.1	192.168.2.10	0x78f4	Name error (3)	alreadyreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.159317017 CEST	1.1.1.1	192.168.2.10	0x7d4f	Name error (3)	gentlemanquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.174053907 CEST	1.1.1.1	192.168.2.10	0xa6b9	Name error (3)	alreadyquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.193505049 CEST	1.1.1.1	192.168.2.10	0x8705	Name error (3)	followbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.205033064 CEST	1.1.1.1	192.168.2.10	0x5de0	Name error (3)	memberbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.217638969 CEST	1.1.1.1	192.168.2.10	0x39f8	Name error (3)	followbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.229449987 CEST	1.1.1.1	192.168.2.10	0xb8d3	Name error (3)	memberbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:09.650331974 CEST	1.1.1.1	192.168.2.10	0x4c9e	Name error (3)	followreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:10.984312057 CEST	1.1.1.1	192.168.2.10	0xa3de	No error (0)	memberreceive.net		35.164.78.200	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:10.984333992 CEST	1.1.1.1	192.168.2.10	0xa3de	No error (0)	memberreceive.net		35.164.78.200	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.758243084 CEST	1.1.1.1	192.168.2.10	0xf426	Name error (3)	followquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.923599005 CEST	1.1.1.1	192.168.2.10	0x2727	Name error (3)	memberquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.935796976 CEST	1.1.1.1	192.168.2.10	0xe10	Name error (3)	beginbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.950258970 CEST	1.1.1.1	192.168.2.10	0x7053	Name error (3)	knownbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.962147951 CEST	1.1.1.1	192.168.2.10	0xe042	Name error (3)	beginbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.976102114 CEST	1.1.1.1	192.168.2.10	0x137f	Name error (3)	knownbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.985924006 CEST	1.1.1.1	192.168.2.10	0xb1b9	Name error (3)	beginreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:11.998321056 CEST	1.1.1.1	192.168.2.10	0x34a	Name error (3)	knownreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.010941982 CEST	1.1.1.1	192.168.2.10	0x23a3	Name error (3)	beginquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.022568941 CEST	1.1.1.1	192.168.2.10	0x10c5	Name error (3)	knownquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.266926050 CEST	1.1.1.1	192.168.2.10	0xe434	Name error (3)	summerbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.433532953 CEST	1.1.1.1	192.168.2.10	0xb597	Name error (3)	crowdbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.445215940 CEST	1.1.1.1	192.168.2.10	0xd	Name error (3)	summerbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.456923008 CEST	1.1.1.1	192.168.2.10	0xf72	Name error (3)	crowdbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.707465887 CEST	1.1.1.1	192.168.2.10	0xa75	Name error (3)	summerreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.720959902 CEST	1.1.1.1	192.168.2.10	0x219	Name error (3)	crowdreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.966407061 CEST	1.1.1.1	192.168.2.10	0x6e4	Name error (3)	summerquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:12.978590965 CEST	1.1.1.1	192.168.2.10	0xe28e	Name error (3)	crowdquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:13.170535088 CEST	1.1.1.1	192.168.2.10	0x53a8	No error (0)	thoughtbranch.net		34.246.200.160	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:13.958558083 CEST	1.1.1.1	192.168.2.10	0x7a73	Name error (3)	waterbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.219438076 CEST	1.1.1.1	192.168.2.10	0xe6e7	Name error (3)	thoughtbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.231827974 CEST	1.1.1.1	192.168.2.10	0x79cd	Name error (3)	waterbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.487895012 CEST	1.1.1.1	192.168.2.10	0xef7b	Name error (3)	thoughtreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.501066923 CEST	1.1.1.1	192.168.2.10	0xb732	Name error (3)	waterreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.745045900 CEST	1.1.1.1	192.168.2.10	0xab4e	Name error (3)	thoughtquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.758243084 CEST	1.1.1.1	192.168.2.10	0xd17d	Name error (3)	waterquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:14.771692038 CEST	1.1.1.1	192.168.2.10	0xfc3c	Name error (3)	womanbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.015778065 CEST	1.1.1.1	192.168.2.10	0x52ca	Name error (3)	smokebranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.029992104 CEST	1.1.1.1	192.168.2.10	0x8000	No error (0)	womanbelieve.net		15.197.142.173	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.029992104 CEST	1.1.1.1	192.168.2.10	0x8000	No error (0)	womanbelieve.net		3.33.152.147	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.557074070 CEST	1.1.1.1	192.168.2.10	0x23be	Name error (3)	smokebelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.569936037 CEST	1.1.1.1	192.168.2.10	0xf482	Name error (3)	womanreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.821790934 CEST	1.1.1.1	192.168.2.10	0xbdee	Name error (3)	smokereceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:15.989303112 CEST	1.1.1.1	192.168.2.10	0x8f7b	Name error (3)	womanquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:16.001560926 CEST	1.1.1.1	192.168.2.10	0x3c5b	Name error (3)	smokequarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:16.013400078 CEST	1.1.1.1	192.168.2.10	0xd530	Name error (3)	partybranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:16.266304016 CEST	1.1.1.1	192.168.2.10	0xc3d3	Name error (3)	fightbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:16.723171949 CEST	1.1.1.1	192.168.2.10	0x8a0	No error (0)	partybelieve.net		15.197.192.55	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.225441933 CEST	1.1.1.1	192.168.2.10	0x9e1a	Name error (3)	fightbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.238430023 CEST	1.1.1.1	192.168.2.10	0xd3e5	Name error (3)	partyreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.249182940 CEST	1.1.1.1	192.168.2.10	0x8052	Name error (3)	fightreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.267744064 CEST	1.1.1.1	192.168.2.10	0xbc82	Name error (3)	partyquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.280169010 CEST	1.1.1.1	192.168.2.10	0x97f1	Name error (3)	fightquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.530540943 CEST	1.1.1.1	192.168.2.10	0x3307	Name error (3)	freshhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.544811010 CEST	1.1.1.1	192.168.2.10	0x5265	Name error (3)	experiencehonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.557107925 CEST	1.1.1.1	192.168.2.10	0xd940	Name error (3)	freshneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:17.807112932 CEST	1.1.1.1	192.168.2.10	0x27de	Name error (3)	experienceneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.051311970 CEST	1.1.1.1	192.168.2.10	0x99fd	Name error (3)	freshsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.295154095 CEST	1.1.1.1	192.168.2.10	0x5349	Name error (3)	experiencesystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.306874990 CEST	1.1.1.1	192.168.2.10	0xe939	Name error (3)	freshtrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.318855047 CEST	1.1.1.1	192.168.2.10	0x543c	Name error (3)	experiencetrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.561886072 CEST	1.1.1.1	192.168.2.10	0xbe88	Name error (3)	gentlemanhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.573410034 CEST	1.1.1.1	192.168.2.10	0x7d30	Name error (3)	alreadyhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.584362030 CEST	1.1.1.1	192.168.2.10	0x741a	Name error (3)	gentlemanneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.594999075 CEST	1.1.1.1	192.168.2.10	0x248b	Name error (3)	alreadyneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.606939077 CEST	1.1.1.1	192.168.2.10	0xe3c9	Name error (3)	gentlemansystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.618376017 CEST	1.1.1.1	192.168.2.10	0xb86a	Name error (3)	alreadysystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.629687071 CEST	1.1.1.1	192.168.2.10	0x9a3	Name error (3)	gentlemantrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.641130924 CEST	1.1.1.1	192.168.2.10	0xe9f3	Name error (3)	alreadytrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.652705908 CEST	1.1.1.1	192.168.2.10	0x22d1	Name error (3)	followhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.664110899 CEST	1.1.1.1	192.168.2.10	0x3b0d	Name error (3)	memberhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.674818039 CEST	1.1.1.1	192.168.2.10	0x2b1f	Name error (3)	followneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:18.925134897 CEST	1.1.1.1	192.168.2.10	0xede9	Name error (3)	memberneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.167649984 CEST	1.1.1.1	192.168.2.10	0x9e26	Name error (3)	followsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.201889038 CEST	1.1.1.1	192.168.2.10	0xaa0	No error (0)	membersystem.net		85.13.130.3	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.855760098 CEST	1.1.1.1	192.168.2.10	0xc683	Name error (3)	followtrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.867927074 CEST	1.1.1.1	192.168.2.10	0xeea8	No error (0)	membertrust.net		3.33.130.190	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:19.867927074 CEST	1.1.1.1	192.168.2.10	0xeea8	No error (0)	membertrust.net		15.197.148.33	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:20.624916077 CEST	1.1.1.1	192.168.2.10	0x9f13	Name error (3)	beginhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:20.875731945 CEST	1.1.1.1	192.168.2.10	0x367	Name error (3)	knownhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.131767035 CEST	1.1.1.1	192.168.2.10	0xa5bb	Name error (3)	beginneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.144817114 CEST	1.1.1.1	192.168.2.10	0xa844	Name error (3)	knownneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.395152092 CEST	1.1.1.1	192.168.2.10	0xd2a0	Name error (3)	beginsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.411504030 CEST	1.1.1.1	192.168.2.10	0xd80c	Name error (3)	knownsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.427007914 CEST	1.1.1.1	192.168.2.10	0x67e1	Name error (3)	begintrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.438431025 CEST	1.1.1.1	192.168.2.10	0x6dc1	Name error (3)	knowntrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:21.689698935 CEST	1.1.1.1	192.168.2.10	0x890e	Name error (3)	summerhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.178817987 CEST	1.1.1.1	192.168.2.10	0x443e	Name error (3)	crowdhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.191232920 CEST	1.1.1.1	192.168.2.10	0x913f	Name error (3)	summerneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.434514999 CEST	1.1.1.1	192.168.2.10	0xc9b2	Name error (3)	crowdneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.447223902 CEST	1.1.1.1	192.168.2.10	0xac25	Name error (3)	summersystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.460253954 CEST	1.1.1.1	192.168.2.10	0x3d1a	Name error (3)	crowdsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.705440998 CEST	1.1.1.1	192.168.2.10	0x30a5	Name error (3)	summertrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:22.964427948 CEST	1.1.1.1	192.168.2.10	0xadae	No error (0)	crowdtrust.net		170.187.200.48	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.733464003 CEST	1.1.1.1	192.168.2.10	0x83d1	Name error (3)	thoughthonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.744991064 CEST	1.1.1.1	192.168.2.10	0x27e	Name error (3)	waterhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.759248018 CEST	1.1.1.1	192.168.2.10	0x3aa	Name error (3)	thoughtneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.772066116 CEST	1.1.1.1	192.168.2.10	0x574c	Name error (3)	waterneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:23.807327032 CEST	1.1.1.1	192.168.2.10	0xfc6a	No error (0)	thoughtsystem.net		213.171.195.105	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:24.602765083 CEST	1.1.1.1	192.168.2.10	0x686	No error (0)	watersystem.net		64.190.63.222	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:25.254368067 CEST	1.1.1.1	192.168.2.10	0x52f4	Name error (3)	thoughttrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:25.499044895 CEST	1.1.1.1	192.168.2.10	0x6c00	Name error (3)	watertrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:25.596424103 CEST	1.1.1.1	192.168.2.10	0xf0df	No error (0)	womanhonor.net		54.244.188.177	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.349932909 CEST	1.1.1.1	192.168.2.10	0x577b	Name error (3)	smokehonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.362919092 CEST	1.1.1.1	192.168.2.10	0x5974	Name error (3)	womanneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.603879929 CEST	1.1.1.1	192.168.2.10	0xdc5	Name error (3)	smokeneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.847558022 CEST	1.1.1.1	192.168.2.10	0x8abf	Name error (3)	womansystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.862624884 CEST	1.1.1.1	192.168.2.10	0x6100	Name error (3)	smokesystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.871279955 CEST	1.1.1.1	192.168.2.10	0x6a99	Name error (3)	womantrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.885158062 CEST	1.1.1.1	192.168.2.10	0xec04	Name error (3)	smoketrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.896200895 CEST	1.1.1.1	192.168.2.10	0x1c3e	Name error (3)	partyhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.913167000 CEST	1.1.1.1	192.168.2.10	0xef35	Name error (3)	fighthonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.925261974 CEST	1.1.1.1	192.168.2.10	0x9431	Name error (3)	partyneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.939064980 CEST	1.1.1.1	192.168.2.10	0x4791	Name error (3)	fightneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:26.950956106 CEST	1.1.1.1	192.168.2.10	0xcb55	Name error (3)	partysystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.235472918 CEST	1.1.1.1	192.168.2.10	0xa222	Name error (3)	partytrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.248698950 CEST	1.1.1.1	192.168.2.10	0xb144	Name error (3)	fighttrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.260973930 CEST	1.1.1.1	192.168.2.10	0xe2aa	Name error (3)	freshlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.273179054 CEST	1.1.1.1	192.168.2.10	0x993c	Name error (3)	experiencelaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:27.289246082 CEST	1.1.1.1	192.168.2.10	0xba37	No error (0)	freshfancy.net		81.169.145.88	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.197757006 CEST	1.1.1.1	192.168.2.10	0xed28	Name error (3)	experiencefancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.450350046 CEST	1.1.1.1	192.168.2.10	0x2977	Name error (3)	freshconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.462909937 CEST	1.1.1.1	192.168.2.10	0x97cc	Name error (3)	experienceconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.475003004 CEST	1.1.1.1	192.168.2.10	0x5524	Name error (3)	freshfriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.486460924 CEST	1.1.1.1	192.168.2.10	0x9e1a	Name error (3)	experiencefriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.497008085 CEST	1.1.1.1	192.168.2.10	0xc4c5	Name error (3)	gentlemanlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.741091967 CEST	1.1.1.1	192.168.2.10	0x92db	Name error (3)	alreadylaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:28.754682064 CEST	1.1.1.1	192.168.2.10	0x9448	Name error (3)	gentlemanfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.274082899 CEST	1.1.1.1	192.168.2.10	0x2379	Name error (3)	alreadyfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.289019108 CEST	1.1.1.1	192.168.2.10	0xf24f	Name error (3)	gentlemanconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.532686949 CEST	1.1.1.1	192.168.2.10	0xd1	Name error (3)	alreadyconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:29.776072025 CEST	1.1.1.1	192.168.2.10	0xaec	Name error (3)	gentlemanfriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.116986990 CEST	1.1.1.1	192.168.2.10	0xa474	No error (0)	alreadyfriend.net		15.197.192.55	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.599284887 CEST	1.1.1.1	192.168.2.10	0xaf06	Name error (3)	followlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.842122078 CEST	1.1.1.1	192.168.2.10	0xc2b9	Name error (3)	memberlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.861856937 CEST	1.1.1.1	192.168.2.10	0x93e8	Name error (3)	followfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.875878096 CEST	1.1.1.1	192.168.2.10	0xb04b	Name error (3)	memberfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:30.887962103 CEST	1.1.1.1	192.168.2.10	0x2573	Name error (3)	followconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.129909992 CEST	1.1.1.1	192.168.2.10	0x2ef5	Name error (3)	memberconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.271533012 CEST	1.1.1.1	192.168.2.10	0x1041	No error (0)	followfriend.net		188.225.40.227	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.947421074 CEST	1.1.1.1	192.168.2.10	0x5fe2	Name error (3)	memberfriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.961842060 CEST	1.1.1.1	192.168.2.10	0x3dd4	Name error (3)	beginlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.979315996 CEST	1.1.1.1	192.168.2.10	0x60ba	Name error (3)	knownlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:31:31.991684914 CEST	1.1.1.1	192.168.2.10	0x662e	Name error (3)	beginfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.033854008 CEST	1.1.1.1	192.168.2.10	0x8e2a	Name error (3)	smokeclear.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.053932905 CEST	1.1.1.1	192.168.2.10	0xe6c3	Name error (3)	womangeneral.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.067715883 CEST	1.1.1.1	192.168.2.10	0x9b60	Name error (3)	smokegeneral.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.080652952 CEST	1.1.1.1	192.168.2.10	0x2afe	Name error (3)	womaninclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.089755058 CEST	1.1.1.1	192.168.2.10	0x14f5	Name error (3)	smokeinclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.334707975 CEST	1.1.1.1	192.168.2.10	0x3c6e	Name error (3)	womannorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.348012924 CEST	1.1.1.1	192.168.2.10	0xb756	Name error (3)	smokenorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.514712095 CEST	1.1.1.1	192.168.2.10	0xccdf	Name error (3)	partyclear.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:22.757802010 CEST	1.1.1.1	192.168.2.10	0x7575	Name error (3)	fightclear.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.197201014 CEST	1.1.1.1	192.168.2.10	0xc625	Name error (3)	fightgeneral.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.448008060 CEST	1.1.1.1	192.168.2.10	0x5b7b	Name error (3)	partyinclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.462788105 CEST	1.1.1.1	192.168.2.10	0xc4e	Name error (3)	fightinclude.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.474508047 CEST	1.1.1.1	192.168.2.10	0xf858	Name error (3)	partynorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.488100052 CEST	1.1.1.1	192.168.2.10	0xd72e	Name error (3)	fightnorth.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.499778032 CEST	1.1.1.1	192.168.2.10	0x67d2	Name error (3)	freshbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.510442019 CEST	1.1.1.1	192.168.2.10	0x41e2	Name error (3)	experiencebranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.522083998 CEST	1.1.1.1	192.168.2.10	0x590d	Name error (3)	freshbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:24.765403032 CEST	1.1.1.1	192.168.2.10	0xfcf8	Name error (3)	experiencebelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.017735958 CEST	1.1.1.1	192.168.2.10	0xb7e0	Name error (3)	freshreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.172645092 CEST	1.1.1.1	192.168.2.10	0x55e3	Name error (3)	experiencereceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.424228907 CEST	1.1.1.1	192.168.2.10	0x804e	Name error (3)	freshquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.668515921 CEST	1.1.1.1	192.168.2.10	0xce29	Name error (3)	experiencequarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.683319092 CEST	1.1.1.1	192.168.2.10	0xbe3e	Name error (3)	gentlemanbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.698292971 CEST	1.1.1.1	192.168.2.10	0xe5c1	Name error (3)	alreadybranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.710163116 CEST	1.1.1.1	192.168.2.10	0x69f7	Name error (3)	gentlemanbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.953505039 CEST	1.1.1.1	192.168.2.10	0x3925	Name error (3)	alreadybelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:25.966516972 CEST	1.1.1.1	192.168.2.10	0xb02c	Name error (3)	gentlemanreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.218379974 CEST	1.1.1.1	192.168.2.10	0x957b	Name error (3)	alreadyreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.230578899 CEST	1.1.1.1	192.168.2.10	0xef94	Name error (3)	gentlemanquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.474489927 CEST	1.1.1.1	192.168.2.10	0xd4f3	Name error (3)	alreadyquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.717175961 CEST	1.1.1.1	192.168.2.10	0xf17a	Name error (3)	followbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.729314089 CEST	1.1.1.1	192.168.2.10	0x1e3f	Name error (3)	memberbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:26.743012905 CEST	1.1.1.1	192.168.2.10	0x995d	Name error (3)	followbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:27.232798100 CEST	1.1.1.1	192.168.2.10	0x2905	Name error (3)	memberbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:27.775676966 CEST	1.1.1.1	192.168.2.10	0x6462	Name error (3)	followreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.663933992 CEST	1.1.1.1	192.168.2.10	0x3a69	Name error (3)	followquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.675689936 CEST	1.1.1.1	192.168.2.10	0xe88d	Name error (3)	memberquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.691517115 CEST	1.1.1.1	192.168.2.10	0x4ef8	Name error (3)	beginbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.706552029 CEST	1.1.1.1	192.168.2.10	0xd007	Name error (3)	knownbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.868716002 CEST	1.1.1.1	192.168.2.10	0xd0f7	Name error (3)	beginbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:28.879950047 CEST	1.1.1.1	192.168.2.10	0x7c98	Name error (3)	knownbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.122548103 CEST	1.1.1.1	192.168.2.10	0x7d18	Name error (3)	beginreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.365197897 CEST	1.1.1.1	192.168.2.10	0x9afe	Name error (3)	knownreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.378705025 CEST	1.1.1.1	192.168.2.10	0x757f	Name error (3)	beginquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.391655922 CEST	1.1.1.1	192.168.2.10	0xd29c	Name error (3)	knownquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.400578976 CEST	1.1.1.1	192.168.2.10	0x2441	Name error (3)	summerbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.418683052 CEST	1.1.1.1	192.168.2.10	0x5e6	Name error (3)	crowdbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.660914898 CEST	1.1.1.1	192.168.2.10	0x573	Name error (3)	summerbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.672277927 CEST	1.1.1.1	192.168.2.10	0x6db4	Name error (3)	crowdbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.685389042 CEST	1.1.1.1	192.168.2.10	0xaae2	Name error (3)	summerreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.701284885 CEST	1.1.1.1	192.168.2.10	0xf1b3	Name error (3)	crowdreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:29.713119030 CEST	1.1.1.1	192.168.2.10	0x51cc	Name error (3)	summerquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:30.907732964 CEST	1.1.1.1	192.168.2.10	0xc1fa	Name error (3)	crowdquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:30.917253971 CEST	1.1.1.1	192.168.2.10	0xc1fa	Name error (3)	crowdquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.062247992 CEST	1.1.1.1	192.168.2.10	0x761d	Name error (3)	waterbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.075095892 CEST	1.1.1.1	192.168.2.10	0xf2aa	Name error (3)	thoughtbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.317081928 CEST	1.1.1.1	192.168.2.10	0x8c70	Name error (3)	waterbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:32.570079088 CEST	1.1.1.1	192.168.2.10	0x7457	Name error (3)	thoughtreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.075577021 CEST	1.1.1.1	192.168.2.10	0xf617	Name error (3)	waterreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.318655968 CEST	1.1.1.1	192.168.2.10	0xb53	Name error (3)	thoughtquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.331310034 CEST	1.1.1.1	192.168.2.10	0xf050	Name error (3)	waterquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.342911959 CEST	1.1.1.1	192.168.2.10	0x3733	Name error (3)	womanbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:33.585846901 CEST	1.1.1.1	192.168.2.10	0x549	Name error (3)	smokebranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.088249922 CEST	1.1.1.1	192.168.2.10	0xe3ec	Name error (3)	smokebelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.100713968 CEST	1.1.1.1	192.168.2.10	0x1465	Name error (3)	womanreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.112740040 CEST	1.1.1.1	192.168.2.10	0x9c21	Name error (3)	smokereceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.124320984 CEST	1.1.1.1	192.168.2.10	0xe66b	Name error (3)	womanquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.288577080 CEST	1.1.1.1	192.168.2.10	0x5049	Name error (3)	smokequarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.530987978 CEST	1.1.1.1	192.168.2.10	0x801f	Name error (3)	partybranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:34.543565989 CEST	1.1.1.1	192.168.2.10	0xf0d2	Name error (3)	fightbranch.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.095653057 CEST	1.1.1.1	192.168.2.10	0xc6dd	Name error (3)	fightbelieve.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.110565901 CEST	1.1.1.1	192.168.2.10	0x42ad	Name error (3)	partyreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.127053022 CEST	1.1.1.1	192.168.2.10	0x1c80	Name error (3)	fightreceive.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.288882017 CEST	1.1.1.1	192.168.2.10	0x4392	Name error (3)	partyquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.301291943 CEST	1.1.1.1	192.168.2.10	0x21f1	Name error (3)	fightquarter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.312129021 CEST	1.1.1.1	192.168.2.10	0x4574	Name error (3)	freshhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.554799080 CEST	1.1.1.1	192.168.2.10	0x2142	Name error (3)	experiencehonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.570971966 CEST	1.1.1.1	192.168.2.10	0x96a	Name error (3)	freshneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:36.581650019 CEST	1.1.1.1	192.168.2.10	0x89cb	Name error (3)	experienceneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.001276970 CEST	1.1.1.1	192.168.2.10	0xc506	Name error (3)	freshsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.014401913 CEST	1.1.1.1	192.168.2.10	0xbbda	Name error (3)	experiencesystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.027705908 CEST	1.1.1.1	192.168.2.10	0x785b	Name error (3)	freshtrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.038834095 CEST	1.1.1.1	192.168.2.10	0xaa07	Name error (3)	experiencetrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.478445053 CEST	1.1.1.1	192.168.2.10	0x1bf3	Name error (3)	gentlemanhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.722038031 CEST	1.1.1.1	192.168.2.10	0x16a4	Name error (3)	alreadyhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.734090090 CEST	1.1.1.1	192.168.2.10	0xbbbf	Name error (3)	gentlemanneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.985590935 CEST	1.1.1.1	192.168.2.10	0x578b	Name error (3)	alreadyneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:37.997615099 CEST	1.1.1.1	192.168.2.10	0x336f	Name error (3)	gentlemansystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.008923054 CEST	1.1.1.1	192.168.2.10	0xdfd7	Name error (3)	alreadysystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.020234108 CEST	1.1.1.1	192.168.2.10	0xdaaa	Name error (3)	gentlemantrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.032732010 CEST	1.1.1.1	192.168.2.10	0xc24	Name error (3)	alreadytrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.043525934 CEST	1.1.1.1	192.168.2.10	0xa4e6	Name error (3)	followhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.054968119 CEST	1.1.1.1	192.168.2.10	0x8227	Name error (3)	memberhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.297880888 CEST	1.1.1.1	192.168.2.10	0xd5d7	Name error (3)	followneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.554692030 CEST	1.1.1.1	192.168.2.10	0xe72e	Name error (3)	memberneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:38.567215919 CEST	1.1.1.1	192.168.2.10	0x8a41	Name error (3)	followsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:39.228540897 CEST	1.1.1.1	192.168.2.10	0x32d8	Name error (3)	followtrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.100369930 CEST	1.1.1.1	192.168.2.10	0x8db3	Name error (3)	beginhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.112272978 CEST	1.1.1.1	192.168.2.10	0xf3c1	Name error (3)	knownhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.366164923 CEST	1.1.1.1	192.168.2.10	0x603e	Name error (3)	beginneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.382249117 CEST	1.1.1.1	192.168.2.10	0xd6a2	Name error (3)	knownneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.625628948 CEST	1.1.1.1	192.168.2.10	0x2f7b	Name error (3)	beginsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.638185024 CEST	1.1.1.1	192.168.2.10	0x26b1	Name error (3)	knownsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.881513119 CEST	1.1.1.1	192.168.2.10	0xa483	Name error (3)	begintrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.892966032 CEST	1.1.1.1	192.168.2.10	0xce68	Name error (3)	knowntrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.906224012 CEST	1.1.1.1	192.168.2.10	0x2f1	Name error (3)	summerhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.918932915 CEST	1.1.1.1	192.168.2.10	0xb7e1	Name error (3)	crowdhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.932379007 CEST	1.1.1.1	192.168.2.10	0x9aec	Name error (3)	summerneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.950762033 CEST	1.1.1.1	192.168.2.10	0xe051	Name error (3)	crowdneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:40.961971998 CEST	1.1.1.1	192.168.2.10	0xfe8d	Name error (3)	summersystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.203352928 CEST	1.1.1.1	192.168.2.10	0x5b9	Name error (3)	crowdsystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.215627909 CEST	1.1.1.1	192.168.2.10	0xc79a	Name error (3)	summertrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.728296041 CEST	1.1.1.1	192.168.2.10	0xfa34	Name error (3)	thoughthonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.740360975 CEST	1.1.1.1	192.168.2.10	0x2b94	Name error (3)	waterhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.981301069 CEST	1.1.1.1	192.168.2.10	0x3018	Name error (3)	thoughtneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:41.992810011 CEST	1.1.1.1	192.168.2.10	0xb7e6	Name error (3)	waterneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:43.919918060 CEST	1.1.1.1	192.168.2.10	0xb21	Name error (3)	thoughttrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:43.931905985 CEST	1.1.1.1	192.168.2.10	0x2eab	Name error (3)	watertrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.794243097 CEST	1.1.1.1	192.168.2.10	0x19d2	Name error (3)	smokehonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.806416988 CEST	1.1.1.1	192.168.2.10	0x51bf	Name error (3)	womanneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.819499016 CEST	1.1.1.1	192.168.2.10	0x4cee	Name error (3)	smokeneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.829854965 CEST	1.1.1.1	192.168.2.10	0x3fad	Name error (3)	womansystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:44.840949059 CEST	1.1.1.1	192.168.2.10	0x6d9a	Name error (3)	smokesystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.082494974 CEST	1.1.1.1	192.168.2.10	0x233	Name error (3)	womantrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.094079971 CEST	1.1.1.1	192.168.2.10	0xfc42	Name error (3)	smoketrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.338329077 CEST	1.1.1.1	192.168.2.10	0xb8b8	Name error (3)	partyhonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.350200891 CEST	1.1.1.1	192.168.2.10	0xf8db	Name error (3)	fighthonor.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.362163067 CEST	1.1.1.1	192.168.2.10	0xdb34	Name error (3)	partyneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.532459021 CEST	1.1.1.1	192.168.2.10	0xc004	Name error (3)	fightneither.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:45.777915001 CEST	1.1.1.1	192.168.2.10	0x98b3	Name error (3)	partysystem.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.057610035 CEST	1.1.1.1	192.168.2.10	0xdc2b	Name error (3)	partytrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.077265024 CEST	1.1.1.1	192.168.2.10	0x83cf	Name error (3)	fighttrust.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.088011980 CEST	1.1.1.1	192.168.2.10	0xc7b4	Name error (3)	freshlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:46.328686953 CEST	1.1.1.1	192.168.2.10	0xd54	Name error (3)	experiencelaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.240871906 CEST	1.1.1.1	192.168.2.10	0x3e71	Name error (3)	experiencefancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.254311085 CEST	1.1.1.1	192.168.2.10	0x1576	Name error (3)	freshconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.266391993 CEST	1.1.1.1	192.168.2.10	0xaf56	Name error (3)	experienceconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.512999058 CEST	1.1.1.1	192.168.2.10	0x7a99	Name error (3)	freshfriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:47.757431984 CEST	1.1.1.1	192.168.2.10	0xe9d2	Name error (3)	experiencefriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.012943983 CEST	1.1.1.1	192.168.2.10	0xcaad	Name error (3)	gentlemanlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.284079075 CEST	1.1.1.1	192.168.2.10	0xf1ea	Name error (3)	alreadylaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.295645952 CEST	1.1.1.1	192.168.2.10	0xca20	Name error (3)	gentlemanfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.307679892 CEST	1.1.1.1	192.168.2.10	0x6695	Name error (3)	alreadyfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.320211887 CEST	1.1.1.1	192.168.2.10	0x3f7b	Name error (3)	gentlemanconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.572201967 CEST	1.1.1.1	192.168.2.10	0xab43	Name error (3)	alreadyconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:48.588815928 CEST	1.1.1.1	192.168.2.10	0xab36	Name error (3)	gentlemanfriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.342328072 CEST	1.1.1.1	192.168.2.10	0x8143	Name error (3)	followlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.354818106 CEST	1.1.1.1	192.168.2.10	0x2194	Name error (3)	memberlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.366461039 CEST	1.1.1.1	192.168.2.10	0x6e45	Name error (3)	followfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.379550934 CEST	1.1.1.1	192.168.2.10	0xa5d6	Name error (3)	memberfancy.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.392680883 CEST	1.1.1.1	192.168.2.10	0xceba	Name error (3)	followconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:49.633491039 CEST	1.1.1.1	192.168.2.10	0x18f3	Name error (3)	memberconsider.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.381472111 CEST	1.1.1.1	192.168.2.10	0xddeb	Name error (3)	memberfriend.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.401840925 CEST	1.1.1.1	192.168.2.10	0x486e	Name error (3)	beginlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.423181057 CEST	1.1.1.1	192.168.2.10	0x9cb4	Name error (3)	knownlaughter.net	none	none	A (IP address)	IN (0x0001)	false
Aug 5, 2024 16:32:50.502015114 CEST	1.1.1.1	192.168.2.10	0xda	Name error (3)	beginfancy.net	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

partygeneral.net

memberreceive.net

thoughtbranch.net

womanbelieve.net

partybelieve.net

membersystem.net

membertrust.net

crowdtrust.net

thoughtsystem.net

watersystem.net

womanhonor.net

freshfancy.net

alreadyfriend.net

followfriend.net

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	3.33.130.190	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:04.603718042 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: partygeneral.net
Aug 5, 2024 16:31:08.013556004 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:31:07 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49708	35.164.78.200	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:10.990581036 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: memberreceive.net
Aug 5, 2024 16:31:11.745836973 CEST	382	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Aug 2024 14:31:11 GMT Content-Type: text/html Connection: close Set-Cookie: btst=1ccc9a3eef2962ce52d5d23cf8200387\|8.46.123.33\|1722868271\|1722868271\|0\|1\|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49709	34.246.200.160	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:13.177247047 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: thoughtbranch.net
Aug 5, 2024 16:31:13.938179970 CEST	382	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Aug 2024 14:31:13 GMT Content-Type: text/html Connection: close Set-Cookie: btst=1f2ddad0f86caffefd5d2d04a58d8d14\|8.46.123.33\|1722868273\|1722868273\|0\|1\|0; path=/; domain=.thoughtbranch.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49710	15.197.142.173	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:15.036025047 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: womanbelieve.net
Aug 5, 2024 16:31:15.544984102 CEST	266	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Mon, 05 Aug 2024 14:31:15 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49711	15.197.192.55	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:16.728858948 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: partybelieve.net
Aug 5, 2024 16:31:17.214251041 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:31:17 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49714	85.13.130.3	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:19.207770109 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: membersystem.net
Aug 5, 2024 16:31:19.843400002 CEST	452	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 05 Aug 2024 14:31:19 GMT Server: Apache Location: https://all-inkl.com/index.php Content-Length: 238 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 2d 69 6e 6b 6c 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://all-inkl.com/index.php">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49716	3.33.130.190	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:19.873462915 CEST	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: membertrust.net
Aug 5, 2024 16:31:20.373877048 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:31:20 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49719	170.187.200.48	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:22.971522093 CEST	81	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: crowdtrust.net
Aug 5, 2024 16:31:23.484765053 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 05 Aug 2024 14:31:23 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49720	213.171.195.105	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:23.813163042 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: thoughtsystem.net
Aug 5, 2024 16:31:24.426836014 CEST	1236	IN	HTTP/1.1 200 OK server: nginx/1.20.1 date: Mon, 05 Aug 2024 14:31:24 GMT content-type: text/html content-length: 2873 last-modified: Tue, 16 Jul 2024 14:31:13 GMT etag: "66968431-b39" accept-ranges: bytes connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain
Aug 5, 2024 16:31:24.426889896 CEST	224	IN	Data Raw: 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 70 61 72 6b 65 64 20 66 6f 72 20 46 52 45 45 20 62 79 0a 20 20 20 20 20 20 20 Data Ascii: Var"></span></h2> <p> This domain name is parked for FREE by <strong><a href="https://fasthosts.co.uk/" rel="nofollow">fasthosts.co.uk</a></strong> </p> <div class="row"> <div class
Aug 5, 2024 16:31:24.426928997 CEST	1236	IN	Data Raw: 3d 22 63 61 72 64 20 63 61 72 64 2d 2d 69 73 2d 63 74 61 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 4c 6f 6f 6b 69 6e 67 20 74 6f 20 62 75 79 20 61 20 73 69 6d 69 6c 61 72 20 64 6f 6d 61 69 6e 20 74 Data Ascii: ="card card--is-cta"> <h3> Looking to buy a similar domain to <br> <strong><span class="domainVar"></span>?</strong> </h3> <a class="cta cta--primary" rel="nofollow" id="domainSearchCta">St
Aug 5, 2024 16:31:24.426961899 CEST	411	IN	Data Raw: 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 7c 7c 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 72 65 70 6c 61 63 65 28 22 77 77 77 2e 22 2c 20 22 22 29 0a 20 20 20 20 64 6f 63 Data Ascii: cument.location.hostname \|\| document.location.hostname.replace("www.", "") document.querySelectorAll(".domainVar").forEach(placeholder => placeholder.innerText = cleanHostname) document.getElementById("domainSearchCta").href = `https:/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49721	64.190.63.222	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:24.609029055 CEST	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: watersystem.net
Aug 5, 2024 16:31:25.243453026 CEST	208	IN	HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49722	54.244.188.177	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:25.602329969 CEST	81	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: womanhonor.net
Aug 5, 2024 16:31:26.337407112 CEST	379	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Aug 2024 14:31:26 GMT Content-Type: text/html Connection: close Set-Cookie: btst=741ae241df3fcc76a710c7e9e0bd7945\|8.46.123.33\|1722868286\|1722868286\|0\|1\|0; path=/; domain=.womanhonor.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49723	81.169.145.88	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:27.295305967 CEST	81	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: freshfancy.net
Aug 5, 2024 16:31:27.951025009 CEST	374	IN	HTTP/1.1 404 Not Found Date: Mon, 05 Aug 2024 14:31:27 GMT Server: Apache/2.4.61 (Unix) Content-Length: 196 Content-Type: text/html; charset=iso-8859-1 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49724	15.197.192.55	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:30.122541904 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: alreadyfriend.net
Aug 5, 2024 16:31:30.586142063 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:31:30 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49725	188.225.40.227	80	7336	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:31:31.277501106 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: followfriend.net
Aug 5, 2024 16:31:31.935910940 CEST	373	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.1 Date: Mon, 05 Aug 2024 14:31:31 GMT Content-Type: text/html Content-Length: 169 Connection: close Location: https://followfriend.net/index.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	50096	3.33.130.190	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:22.765919924 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: partygeneral.net
Aug 5, 2024 16:32:24.185717106 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:32:24 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	50097	35.164.78.200	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:27.782249928 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: memberreceive.net
Aug 5, 2024 16:32:28.648246050 CEST	382	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Aug 2024 14:32:28 GMT Content-Type: text/html Connection: close Set-Cookie: btst=7dfa934efdf1fa8419f2b3bf6ca90d69\|8.46.123.33\|1722868348\|1722868348\|0\|1\|0; path=/; domain=.memberreceive.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	50098	34.246.200.160	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:30.917957067 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: thoughtbranch.net
Aug 5, 2024 16:32:32.049094915 CEST	382	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Aug 2024 14:32:31 GMT Content-Type: text/html Connection: close Set-Cookie: btst=021459f7e167fe8e8c3192480cb3a5ee\|8.46.123.33\|1722868351\|1722868351\|0\|1\|0; path=/; domain=.thoughtbranch.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Aug 5, 2024 16:32:32.050523996 CEST	382	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Aug 2024 14:32:31 GMT Content-Type: text/html Connection: close Set-Cookie: btst=021459f7e167fe8e8c3192480cb3a5ee\|8.46.123.33\|1722868351\|1722868351\|0\|1\|0; path=/; domain=.thoughtbranch.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.10	50099	15.197.142.173	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:33.592585087 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: womanbelieve.net
Aug 5, 2024 16:32:34.075978041 CEST	266	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Mon, 05 Aug 2024 14:32:34 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.10	50100	15.197.192.55	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:34.553592920 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: partybelieve.net
Aug 5, 2024 16:32:36.084207058 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:32:34 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
Aug 5, 2024 16:32:36.084979057 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:32:34 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>
Aug 5, 2024 16:32:36.086308956 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:32:34 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.10	50101	85.13.130.3	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:38.575814009 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: membersystem.net
Aug 5, 2024 16:32:39.215950012 CEST	452	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 05 Aug 2024 14:32:39 GMT Server: Apache Location: https://all-inkl.com/index.php Content-Length: 238 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 6c 6c 2d 69 6e 6b 6c 2e 63 6f 6d 2f 69 6e 64 65 78 2e 70 68 70 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://all-inkl.com/index.php">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.10	50102	3.33.130.190	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:39.235579014 CEST	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: membertrust.net
Aug 5, 2024 16:32:39.692394972 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:32:39 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.10	50103	170.187.200.48	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:41.221635103 CEST	81	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: crowdtrust.net
Aug 5, 2024 16:32:41.716304064 CEST	289	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 05 Aug 2024 14:32:41 GMT Content-Type: text/html Content-Length: 146 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.10	50104	213.171.195.105	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:41.999102116 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: thoughtsystem.net
Aug 5, 2024 16:32:42.606091022 CEST	1236	IN	HTTP/1.1 200 OK server: nginx/1.20.1 date: Mon, 05 Aug 2024 14:32:42 GMT content-type: text/html content-length: 2873 last-modified: Tue, 16 Jul 2024 13:11:33 GMT etag: "66967185-b39" accept-ranges: bytes connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 44 6f 6d 61 69 6e 20 70 61 72 6b 69 6e 67 20 70 61 67 65 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 73 74 79 6c 65 73 2f 63 73 73 2f 69 6e 64 65 78 2e 63 73 73 22 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 61 74 69 63 2e 66 61 73 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Domain parking page</title> <link rel="stylesheet" href="/styles/css/index.css"> <link rel="shortcut icon" href="https://static.fasthosts.co.uk/icons/favicon.ico" type="image/x-icon" /> ... Global site tag (gtag.js) - Google Analytics --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-199510482-1"></script> <script> window.dataLayer = window.dataLayer \|\| []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-199510482-1'); </script> </head><body> <div class="container"> <nav class="logo"> <a href="https://fasthosts.co.uk/" rel="nofollow"> <img src="/assets/fasthosts-logo-secondary.svg" alt="Fasthosts"></img> </a> </nav> <main> <h2>Welcome to <span class="domain
Aug 5, 2024 16:32:42.606115103 CEST	224	IN	Data Raw: 56 61 72 22 3e 3c 2f 73 70 61 6e 3e 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 69 73 20 70 61 72 6b 65 64 20 66 6f 72 20 46 52 45 45 20 62 79 0a 20 20 20 20 20 20 20 Data Ascii: Var"></span></h2> <p> This domain name is parked for FREE by <strong><a href="https://fasthosts.co.uk/" rel="nofollow">fasthosts.co.uk</a></strong> </p> <div class="row"> <div class
Aug 5, 2024 16:32:42.606127024 CEST	1236	IN	Data Raw: 3d 22 63 61 72 64 20 63 61 72 64 2d 2d 69 73 2d 63 74 61 22 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 68 33 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 4c 6f 6f 6b 69 6e 67 20 74 6f 20 62 75 79 20 61 20 73 69 6d 69 6c 61 72 20 64 6f 6d 61 69 6e 20 74 Data Ascii: ="card card--is-cta"> <h3> Looking to buy a similar domain to <br> <strong><span class="domainVar"></span>?</strong> </h3> <a class="cta cta--primary" rel="nofollow" id="domainSearchCta">St
Aug 5, 2024 16:32:42.606175900 CEST	411	IN	Data Raw: 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 20 7c 7c 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2e 72 65 70 6c 61 63 65 28 22 77 77 77 2e 22 2c 20 22 22 29 0a 20 20 20 20 64 6f 63 Data Ascii: cument.location.hostname \|\| document.location.hostname.replace("www.", "") document.querySelectorAll(".domainVar").forEach(placeholder => placeholder.innerText = cleanHostname) document.getElementById("domainSearchCta").href = `https:/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.10	50105	64.190.63.222	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:42.612492085 CEST	82	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: watersystem.net
Aug 5, 2024 16:32:43.907408953 CEST	208	IN	HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>
Aug 5, 2024 16:32:43.907527924 CEST	208	IN	HTTP/1.1 403 Forbidden content-length: 93 cache-control: no-cache content-type: text/html connection: close Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 52 65 71 75 65 73 74 20 66 6f 72 62 69 64 64 65 6e 20 62 79 20 61 64 6d 69 6e 69 73 74 72 61 74 69 76 65 20 72 75 6c 65 73 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <html><body><h1>403 Forbidden</h1>Request forbidden by administrative rules.</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.10	50106	54.244.188.177	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:43.938019991 CEST	81	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: womanhonor.net
Aug 5, 2024 16:32:44.783339024 CEST	379	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 05 Aug 2024 14:32:44 GMT Content-Type: text/html Connection: close Set-Cookie: btst=58558f183a43497d934f6296a0154f4a\|8.46.123.33\|1722868364\|1722868364\|0\|1\|0; path=/; domain=.womanhonor.net; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.33; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.10	50107	81.169.145.88	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:46.334935904 CEST	81	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: freshfancy.net
Aug 5, 2024 16:32:46.997354984 CEST	374	IN	HTTP/1.1 404 Not Found Date: Mon, 05 Aug 2024 14:32:46 GMT Server: Apache/2.4.61 (Unix) Content-Length: 196 Content-Type: text/html; charset=iso-8859-1 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.10	50108	15.197.192.55	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:48.594881058 CEST	84	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: alreadyfriend.net
Aug 5, 2024 16:32:49.099131107 CEST	254	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 05 Aug 2024 14:32:49 GMT Content-Type: text/html Content-Length: 114 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.10	50109	188.225.40.227	80	1840	C:\whfkpbh\idtpqzltyfy.exe

Timestamp	Bytes transferred	Direction	Data
Aug 5, 2024 16:32:49.639673948 CEST	83	OUT	GET /index.php HTTP/1.0 Accept: / Connection: close Host: followfriend.net
Aug 5, 2024 16:32:50.350815058 CEST	373	IN	HTTP/1.1 301 Moved Permanently Server: nginx/1.26.1 Date: Mon, 05 Aug 2024 14:32:49 GMT Content-Type: text/html Content-Length: 169 Connection: close Location: https://followfriend.net/index.php Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx/1.26.1</center></body></html>

Target ID:	0
Start time:	10:30:56
Start date:	05/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k NetworkService -p
Imagebase:	0x7ff7df220000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	10:30:56
Start date:	05/08/2024
Path:	C:\Windows\System32\Sgrmuserer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\Sgrmuserer.exe
Imagebase:	0x7ff68de20000
File size:	329'504 bytes
MD5 hash:	3BA1A18A0DC30A0545E7765CB97D8E63
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:30:57
Start date:	05/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Imagebase:	0x7ff7df220000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	10:30:57
Start date:	05/08/2024
Path:	C:\Users\user\Desktop\mtuXDnH1Di.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\mtuXDnH1Di.exe"
Imagebase:	0x5f0000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:30:57
Start date:	05/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Imagebase:	0x7ff7df220000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	10:30:58
Start date:	05/08/2024
Path:	C:\whfkpbh\qbf43feev7f7qnhdav.exe
Wow64 process (32bit):	true
Commandline:	"C:\whfkpbh\qbf43feev7f7qnhdav.exe"
Imagebase:	0xba0000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	10:30:58
Start date:	05/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Imagebase:	0x7ff7df220000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:30:58
Start date:	05/08/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Imagebase:	0x7ff7df220000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	10:30:58
Start date:	05/08/2024
Path:	C:\whfkpbh\idtpqzltyfy.exe
Wow64 process (32bit):	true
Commandline:	C:\whfkpbh\idtpqzltyfy.exe
Imagebase:	0xaa0000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	10:30:59
Start date:	05/08/2024
Path:	C:\whfkpbh\amdrhfskpcu.exe
Wow64 process (32bit):	true
Commandline:	wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
Imagebase:	0x830000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	10:31:01
Start date:	05/08/2024
Path:	C:\whfkpbh\idtpqzltyfy.exe
Wow64 process (32bit):	true
Commandline:	"C:\whfkpbh\idtpqzltyfy.exe"
Imagebase:	0xaa0000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	10:31:58
Start date:	05/08/2024
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff74b4e0000
File size:	468'120 bytes
MD5 hash:	B3676839B2EE96983F9ED735CD044159
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	10:31:58
Start date:	05/08/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	10:32:17
Start date:	05/08/2024
Path:	C:\whfkpbh\idtpqzltyfy.exe
Wow64 process (32bit):	true
Commandline:	"c:\whfkpbh\idtpqzltyfy.exe"
Imagebase:	0xaa0000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	10:32:18
Start date:	05/08/2024
Path:	C:\whfkpbh\amdrhfskpcu.exe
Wow64 process (32bit):	true
Commandline:	wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
Imagebase:	0x2e0000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	10:33:54
Start date:	05/08/2024
Path:	C:\whfkpbh\idtpqzltyfy.exe
Wow64 process (32bit):	true
Commandline:	"c:\whfkpbh\idtpqzltyfy.exe"
Imagebase:	0xaa0000
File size:	279'552 bytes
MD5 hash:	E4B47C06B5EED80FB44CFEA757525634
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	46.5%
Total number of Nodes:	1704
Total number of Limit Nodes:	13

Executed Functions

Function 005F7A04 Relevance: 60.1, APIs: 28, Strings: 5, Instructions: 2326sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 005F83DA
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 005F8448
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 005F84DC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 005F84F7
GetTickCount.KERNEL32 ref: 005F8599

Part of subcall function 00605200: GetVersionExA.KERNEL32(0067AE70), ref: 006052CC

Sleep.KERNEL32(00000D05), ref: 005F8B70
Sleep.KERNEL32(000007D0), ref: 005F8DAC
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 005F8E86
SetFileAttributesA.KERNEL32(?,00000080), ref: 005F8E9F
CopyFileA.KERNEL32(?,?,00000000), ref: 005F8EC3
SetFileAttributesA.KERNEL32(?,00000002), ref: 005F912B
SetFileAttributesA.KERNEL32(?,00000080), ref: 005F9186
GetCommandLineA.KERNEL32 ref: 005F9265
GetModuleFileNameA.KERNEL32(00000000,?), ref: 005F9370

Part of subcall function 005FA4E0: lstrlen.KERNEL32(?), ref: 005FA4FE

Part of subcall function 005FD500: lstrlen.KERNEL32(?,?,005FD630,?), ref: 005FD523

MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 005F96D4
CloseHandle.KERNEL32(00000000), ref: 005F9AC8
SetFileAttributesA.KERNEL32(?,00000080), ref: 005F9AEC
CopyFileA.KERNEL32(?,?,00000000), ref: 005F9B0C
SetFileAttributesA.KERNEL32(?,00000002), ref: 005F9B3B
Sleep.KERNEL32(000003E8), ref: 005F9C52
Sleep.KERNEL32(000003E8), ref: 005F8CB2

Part of subcall function 005FBBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005FBC90
Part of subcall function 005FBBC0: Process32First.KERNEL32(00000000,?), ref: 005FBCE3

GetCommandLineA.KERNEL32 ref: 005F86AE

Part of subcall function 005F2800: ExitProcess.KERNEL32 ref: 005F2842

Part of subcall function 006208B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00620929
Part of subcall function 006208B0: __aulldiv.LIBCMT ref: 00620953

Sleep.KERNEL32(000007D0), ref: 005F9E32
SetFileAttributesA.KERNEL32(0063D800,00000080), ref: 005F9E88
CopyFileA.KERNEL32(?,0063D800,00000000), ref: 005F9EA6
SetFileAttributesA.KERNEL32(0063D800,00000002), ref: 005F9EC5

Part of subcall function 00600500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00600537
Part of subcall function 00600500: CreateServiceA.ADVAPI32(00000000,00FE38D0,00FE38D0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00600596
Part of subcall function 00600500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00600615
Part of subcall function 00600500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0060062A

CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 005FA26A
Sleep.KERNEL32(0000C350), ref: 005FA327

Strings

C:\Users\user, xrefs: 005F83D4
}en, xrefs: 005F9856
zS, xrefs: 005F9CD7
%Tmd, xrefs: 005F8421
@L, xrefs: 005F7E24

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartSystemThreadTickToolhelp32VariableVersion__aulldiv
String ID: zS$%Tmd$C:\Users\user$@L$}en
API String ID: 2964372999-1283555554
Opcode ID: a06e916a9289c26dafe3f4dcbaf6e5ff0cb5ac32c4071baf72eff6ebc936ad65
Instruction ID: 3564ed5978e58fc04f6b0afe39bca332fae0b36c6f061018a1bc7d59c317794b
Opcode Fuzzy Hash: a06e916a9289c26dafe3f4dcbaf6e5ff0cb5ac32c4071baf72eff6ebc936ad65
Instruction Fuzzy Hash: 72233FB1A00605DFD308EF60FD8A6763BB7FB95301B117519E646872B5EBB488A0CF91

Function 00605200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(0067AE70), ref: 006052CC
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 0060549F
DeleteFileA.KERNELBASE(?), ref: 006056FE
RemoveDirectoryA.KERNELBASE(00000000), ref: 00605743
CreateDirectoryA.KERNELBASE(?,00000000), ref: 0060583A
CreateDirectoryA.KERNELBASE(?,00000000), ref: 006058F3
CreateDirectoryA.KERNEL32(?,00000000), ref: 00605D71
CreateDirectoryA.KERNEL32(?,00000000), ref: 00605E82
GetTempPathA.KERNEL32(00000104,?), ref: 00606029
CreateDirectoryA.KERNEL32(?,00000000), ref: 006061FF
GetTempPathA.KERNEL32(00000104,?), ref: 006063DE
SetFileAttributesA.KERNELBASE(?,00000002), ref: 0060655F

Strings

\, xrefs: 00606092
aE'P, xrefs: 00605BDE
C:\Users\user, xrefs: 00605B3A, 00605C6A
r9:, xrefs: 00606085
C:\whfkpbh\, xrefs: 00605851, 00605D90, 006061A2, 006063F5

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Users\user$C:\whfkpbh\$\$aE'P$r9:
API String ID: 1691758827-3642148351
Opcode ID: 532bf965b356780c884e75a6ab4ab323c0f775d39b915d55e35bdf73ce6fb8cf
Instruction ID: 9ba6d21589a2325e2b8d73c88d3850f3244f3156fc2a594c4f24edb2a633d8c1
Opcode Fuzzy Hash: 532bf965b356780c884e75a6ab4ab323c0f775d39b915d55e35bdf73ce6fb8cf
Instruction Fuzzy Hash: A1A29AB1A40605CFD308DF24FD9A6B63BB3FB90310B00B129E546972B5EBB48995CF95

Function 00619580 Relevance: 7.7, APIs: 5, Instructions: 220
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8,00000001), ref: 00619679
FindFirstFileA.KERNELBASE(?,?), ref: 006197B8
DeleteFileA.KERNELBASE(?), ref: 006198A9
FindNextFileA.KERNELBASE(00000000,?), ref: 006198CB
FindClose.KERNEL32(00000000), ref: 006198E4

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 10535629fca46b2f912af2080124facbafb27250318b54291417c45b1de17d1b
Instruction ID: 05cb1c71cf7c829a8870d821c991dfc82f4aee9d30515bd5e4d5c7105d3797f5
Opcode Fuzzy Hash: 10535629fca46b2f912af2080124facbafb27250318b54291417c45b1de17d1b
Instruction Fuzzy Hash: 17912075911205CFC718CF74FC925A53BB3FB99310B04B51AE54A9B2B0EBB44991CFA1

Function 005FB7A0 Relevance: 3.1, APIs: 2, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005FB82B
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 005FB87D

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: 5976af419ede5101f571b7f8c0f9975626a274b23cef6aa98430478a735671a2
Instruction ID: 38302da72e90961f10ab4ed9885881ac239af20ad764f08725499002e2410a08
Opcode Fuzzy Hash: 5976af419ede5101f571b7f8c0f9975626a274b23cef6aa98430478a735671a2
Instruction Fuzzy Hash: F831CE74901648EFE708CFA4ED999BA7FBAFB44300B00B05AE402972B0D7B05A59CB95

Function 005FE2C0 Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,0062220A,02167FFC,?,?,?,?,0061463C), ref: 005FE2F8
RtlAllocateHeap.NTDLL(00000000,?,0062220A,02167FFC,?,?,?,?,0061463C), ref: 005FE2FF

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: a2ce721eba6d113b72b42882d9083d72d395486811f3b9dd9fcb2d286ea7f9c7
Instruction ID: 7b95553c833968ff3fd9d2b1f49a9d9d33695f46a89ebb849e7d269a8b6a79ff
Opcode Fuzzy Hash: a2ce721eba6d113b72b42882d9083d72d395486811f3b9dd9fcb2d286ea7f9c7
Instruction Fuzzy Hash: 7DE086B6104215DFC7188FE5FC8EA5637BAF704305B006418F609C6271D731A6C58BD4

Function 005FCA40 Relevance: 10.8, APIs: 7, Instructions: 345
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,?,00000000,00000003,00000000,00000000), ref: 005FCB20
ReadFile.KERNELBASE(00000000,?,?,?,00000000), ref: 005FCB5D
FindCloseChangeNotification.KERNELBASE(00000000), ref: 005FCBBD
GetTickCount.KERNEL32 ref: 005FCC1D
CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 005FCED4
WriteFile.KERNELBASE(00000000,00000000,?,?,00000000), ref: 005FCF0E
CloseHandle.KERNEL32(00000000), ref: 005FCF47

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: File$CloseCreate$ChangeCountFindHandleNotificationReadTickWrite
String ID:
API String ID: 688250028-0
Opcode ID: 1d1f5e1f40d810fd67c0e58882654d489377a2fe6a91428e31da146f79bcb8c2
Instruction ID: 84d841764791f5d1d86ed0c149489b84d3c9c7c18b8e21b73368e67a9b00af3f
Opcode Fuzzy Hash: 1d1f5e1f40d810fd67c0e58882654d489377a2fe6a91428e31da146f79bcb8c2
Instruction Fuzzy Hash: A5E154B1A00615EFD308DF24FD89A793BB7FB80710F103129E946972B4EB754991CB95

Function 0061FA80 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 133
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,H`,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 0061FBF1
CloseHandle.KERNEL32(H`,?,?,?,?,?,00000000), ref: 0061FC2F
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 0061FC58

Strings

H`, xrefs: 0061FBE0, 0061FBE5
D, xrefs: 0061FB8F
H`, xrefs: 0061FC1F, 0061FC28

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D$H`$H`
API String ID: 2922976086-989101815
Opcode ID: 7f937c646fee84a7e4ccd3d25b2e6f5f599d8a1b47c72509d49b794c13518469
Instruction ID: 29ba6b57b140ac3671213b7c6388f0cd8e5b2677db228257b15251d0c272d04a
Opcode Fuzzy Hash: 7f937c646fee84a7e4ccd3d25b2e6f5f599d8a1b47c72509d49b794c13518469
Instruction Fuzzy Hash: 0051ED31951219DBD704DFA4FC427BA3BFBFB48B11F04601AE54AE62B4EBB49490CB85

Function 00601D90 Relevance: 4.7, APIs: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00613110: WaitForSingleObject.KERNEL32(?,00004E20,?,005FD0F2,00000114), ref: 006131AD

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00601E7B

Part of subcall function 0061FCC0: ReleaseMutex.KERNEL32(005FD410,?,005FD410,00000114), ref: 0061FCE9

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: d6822142d10872b276da28cb16ab245a6183b5e2f378bfe97c7d69c51de11966
Instruction ID: 873dd0805841f052edaee106be40c6bd5a2116c687e2e38d7f8fb6c640d4e104
Opcode Fuzzy Hash: d6822142d10872b276da28cb16ab245a6183b5e2f378bfe97c7d69c51de11966
Instruction Fuzzy Hash: 66713371610605DFD308CF24FC9AA6A3BB7FB94315F01B119E80A972B1DBB199A0CF91

Function 00602EB0 Relevance: 3.0, APIs: 2, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00600367,?,00600367,00000000), ref: 00602ED1
RtlFreeHeap.NTDLL(00000000,?,00600367,00000000), ref: 00602ED8

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 7178423f8bc46ff5bec8d160c5d4389a84e931f94aee52a0e96fdd9cf7a6a37b
Instruction ID: 148a850980b22af8560c9968702c9882c3df8cc612574713b7ac6ca0ac915110
Opcode Fuzzy Hash: 7178423f8bc46ff5bec8d160c5d4389a84e931f94aee52a0e96fdd9cf7a6a37b
Instruction Fuzzy Hash: 4E01F734684549CFC328CF64FE5946637FBF7457207446216D54E8B2B0C77098D5CB56

Function 006145A9 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00614699

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 94f8f5227435afed4d2e2431856b017f907f8f5e5efaa961439f4641f57e253c
Instruction ID: 50e0f5d3714bb5505d937a852c2d21bd596c259d181f846bf66a10eaa48286c5
Opcode Fuzzy Hash: 94f8f5227435afed4d2e2431856b017f907f8f5e5efaa961439f4641f57e253c
Instruction Fuzzy Hash: 1D1127B69646068BD718BF60FE8A42537B3FB52306309342AE046962B9EF714451DBC5

Function 005F2800 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 005F2842

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 2469303654818aa752ac6e5995aed54927b33c1fc1219007c3b73fd2bd3781f9
Instruction ID: c07b2608008ec15ce0352c7ebc7c86ea0fb38182e2a80f1d35b29677cf6aa749
Opcode Fuzzy Hash: 2469303654818aa752ac6e5995aed54927b33c1fc1219007c3b73fd2bd3781f9
Instruction Fuzzy Hash: 21E08678010709CBC728DF54D8D687A77A7AB85305754D01A99150B260C634A987CF55

Function 005FA4E0 Relevance: 1.3, APIs: 1, Instructions: 33
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 005FA4FE

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 7d4e7079ccc68b48e1c0eab3f2520d1b85b14820e7b9897d247ee9ab863ae368
Instruction ID: a4e69d02851081d999e2b94e93990dc1f1608bb1456a0f9d92e25d0488873f05
Opcode Fuzzy Hash: 7d4e7079ccc68b48e1c0eab3f2520d1b85b14820e7b9897d247ee9ab863ae368
Instruction Fuzzy Hash: 03F08C71111620EFD7059F61FD0A0663BFAFB893617403022E40A92239EBB84861DFC6

Non-executed Functions

Function 00610D80 Relevance: 25.7, APIs: 11, Strings: 3, Instructions: 1222COMMON

Download Yara Rule

Strings

XH, xrefs: 0061153C
/, xrefs: 0061100F
U][v, xrefs: 00611ED5

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: XH$/$U][v
API String ID: 0-1996962770
Opcode ID: 119eeb1697550fce968d9462d7053e09565c2cd3395dbaff26afabf87049f290
Instruction ID: 9bde041d2ff28365196a9421e3fd7d8f7bf08259bbbb3b4dfbfb8f17eff42282
Opcode Fuzzy Hash: 119eeb1697550fce968d9462d7053e09565c2cd3395dbaff26afabf87049f290
Instruction Fuzzy Hash: 08B25271A00206CFD708EF20FC9A6B93BB7FB95310B14711AE5469B2B4EB7049A5CF85

Function 0060A930 Relevance: 21.8, APIs: 11, Strings: 1, Instructions: 829memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0060AACC

Strings

#~\, xrefs: 0060B319

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: HeapProcess
String ID: #~\
API String ID: 54951025-95464956
Opcode ID: fc955fa9f6b6517257b6b239cb8261c4a6cb9b00cddc77f591732d84c1d07c94
Instruction ID: 855505ccb5fee91c3e646066b4a29bb32fe96b3acae33d926938b6ad801c0105
Opcode Fuzzy Hash: fc955fa9f6b6517257b6b239cb8261c4a6cb9b00cddc77f591732d84c1d07c94
Instruction Fuzzy Hash: 4C722375A10702CFD308DF64FC965A63BB3FB94311B11B52AE846D72B0E7B188A1CB95

Function 00616A7B Relevance: 16.4, Strings: 12, Instructions: 1391COMMON

Download Yara Rule

Strings

l, xrefs: 006176D0
0, xrefs: 00617B16
X, xrefs: 00617455
%, xrefs: 00617656
d, xrefs: 00616D7D
p, xrefs: 006177B9
p, xrefs: 00616CAA
d, xrefs: 006172FC
x, xrefs: 00617450
l, xrefs: 006176E8
o, xrefs: 00617B09
d, xrefs: 00617849

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: wvsprintf
String ID: %$0$X$d$d$d$l$l$o$p$p$x
API String ID: 2795597889-2884493731
Opcode ID: a0cbd1762907b6360f8040eebd1dfb4c97e9d76129628b5ab570383d56e98adc
Instruction ID: 924b32edfeddef0e1150546ad86644e0d5e9461628604afc31cb0d68ff4af731
Opcode Fuzzy Hash: a0cbd1762907b6360f8040eebd1dfb4c97e9d76129628b5ab570383d56e98adc
Instruction Fuzzy Hash: 11D221B1A04605CFD708DF25FD992A43BB3FB94310B26711AD486972B8EB7188E5CF85

Function 00600500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00600537
CreateServiceA.ADVAPI32(00000000,00FE38D0,00FE38D0,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00600596
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00600615
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0060062A
CloseServiceHandle.ADVAPI32(00000000), ref: 006006A7
OpenServiceA.ADVAPI32(00000000,00FE38D0,00000010), ref: 006006EB
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0060072D
CloseServiceHandle.ADVAPI32(00000000), ref: 0060073E
CloseServiceHandle.ADVAPI32(00000000), ref: 006007A8

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: 7a43f3182cbd320b05fd4f060fc36a9c576504368ca2c2ab4a6f8ba5f6892c70
Instruction ID: 85ba8761903a4c2f59bd5e7ade853cabefa4850a322a16bb2b72e966c9cefe71
Opcode Fuzzy Hash: 7a43f3182cbd320b05fd4f060fc36a9c576504368ca2c2ab4a6f8ba5f6892c70
Instruction Fuzzy Hash: 2C612F31641210EFE3099F60FC8AB6A3BB3FB81711F117405E506A62F4EBB158A0CF86

Function 005FAF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 005FB0AA
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 005FB15A
GetLastError.KERNEL32 ref: 005FB17A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 005FB216
CloseServiceHandle.ADVAPI32(00000000), ref: 005FB41C

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 07a9f6b09ac6e0e7730cbdd31c07daacfb6482a2619ded323f8766ad4c22cafc
Instruction ID: 9bd3d269183fe6df16a12cea4abfc56bfeb5126a461ea0cc18e79adcda62c89a
Opcode Fuzzy Hash: 07a9f6b09ac6e0e7730cbdd31c07daacfb6482a2619ded323f8766ad4c22cafc
Instruction Fuzzy Hash: 5BF176B2A00606DFD318DF64FC9967A3BB3FB84310B117519E646972B4E7788991CF81

Function 006250E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 134timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(}$a,00000001,?,?,0061247D), ref: 0062518C
GetTickCount.KERNEL32 ref: 006252BE

Strings

}$a, xrefs: 00625188, 0062518B
@AB , xrefs: 006252CD

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @AB $}$a
API String ID: 2164215191-2511770664
Opcode ID: 6448b947e0ed99c8786923f459fbf89ee3116eda487917d57904204fc561bb17
Instruction ID: fa6a16f9f582ef087e5ecaa69575ef89fca8714f671702e9d81ac1e8f0ee6d4a
Opcode Fuzzy Hash: 6448b947e0ed99c8786923f459fbf89ee3116eda487917d57904204fc561bb17
Instruction Fuzzy Hash: 4051AA72A05A21CFD318DF69FD8A5253BF3F7953103057119E48A8B2B4E7B588A0CF95

Function 00602120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006021D0
Process32First.KERNEL32(00000000,00000128), ref: 00602257
Process32Next.KERNEL32(00000000,00000128), ref: 00602384
CloseHandle.KERNEL32(00000000), ref: 00602426

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c9390c9fa964ff8f69f17dac6089aebb548a49f5529d683cff00c0a6e18f0eff
Instruction ID: 0bf7827d73edcd803d87ef19c255fe093dfb8ea5dabbdab72f266ca81f601a94
Opcode Fuzzy Hash: c9390c9fa964ff8f69f17dac6089aebb548a49f5529d683cff00c0a6e18f0eff
Instruction Fuzzy Hash: 7D912071A40716CBD318DF65FCA86A637B7FF90310F15701AD882822B4EBB489A5CF95

Function 005FE550 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 521COMMON

Download Yara Rule

Strings

{mYr, xrefs: 005FEC73
, xrefs: 005FE8A2

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: ${mYr
API String ID: 0-2876023986
Opcode ID: 3c22477ec255802a5b3f9cb38dd15a674be966df07f35356c2ed7538f802478a
Instruction ID: a8b405fe8072257808cfa6609893b071edd369eb711ef8d36b1b565f6cb27196
Opcode Fuzzy Hash: 3c22477ec255802a5b3f9cb38dd15a674be966df07f35356c2ed7538f802478a
Instruction Fuzzy Hash: 19224775A00205CFC708DF64FD966B63BB7FB84311F00A02AEA05872B5EBB58995CBD1

Function 0060F160 Relevance: 4.9, Strings: 3, Instructions: 1183COMMON

Download Yara Rule

Strings

C@% , xrefs: 0060FD04
, xrefs: 00610233
t?Wx, xrefs: 0061016D

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: $C@% $t?Wx
API String ID: 0-2869517708
Opcode ID: e3c3daf711a91950f856c7fd67fb78ccbf6bee71febca9974ce792bf1b51bd4c
Instruction ID: 8c1c217a619bd304ad5d396419a608ad15747e288959ab2ea4cb3e3b556a6765
Opcode Fuzzy Hash: e3c3daf711a91950f856c7fd67fb78ccbf6bee71febca9974ce792bf1b51bd4c
Instruction Fuzzy Hash: AFB21171A00605CFCB18CF64FD955AA77F7FB94310B15A22AE846973B4EB7099A1CF80

Function 006155E0 Relevance: 4.1, Strings: 2, Instructions: 1592COMMON

Download Yara Rule

Strings

p R, xrefs: 00615AB1
l, xrefs: 0061664B

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: l$p R
API String ID: 0-2271698361
Opcode ID: 2d4d81aad380e0ed01af6c836d8f2cfc617e3b9e5b9ad290da571fefd7f989dd
Instruction ID: 25b90c50185a22495e74c50c4743f6ea26312309d6d25b77368b4ff8ad8d09fb
Opcode Fuzzy Hash: 2d4d81aad380e0ed01af6c836d8f2cfc617e3b9e5b9ad290da571fefd7f989dd
Instruction Fuzzy Hash: CCE2FEB5A00A11CFC708DF25FD891A83BB3FB95311715B15AE486972B4EBB088E5CF85

Function 0060E1C0 Relevance: 3.7, APIs: 2, Instructions: 732COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691a72847149e34c2c09886a0b5f28937a9a7cb69d99bd58ab43df2c32203bc8
Instruction ID: c518b391a801767fa98facc09882ed5a930f0c416619aa01d00883e2a06f11e7
Opcode Fuzzy Hash: 691a72847149e34c2c09886a0b5f28937a9a7cb69d99bd58ab43df2c32203bc8
Instruction Fuzzy Hash: 08624271A00611CFD718EF24FD866AA3BB3FB84300B10781AE546972B5EB729991CFC5

Function 006030F0 Relevance: 2.3, Strings: 1, Instructions: 1008COMMON

Download Yara Rule

Strings

+#T, xrefs: 00603D25

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: +#T
API String ID: 0-666610905
Opcode ID: 38fba1b10a73d125ad2d828dae73c45d01bff8c9a6c43e56d7e8c8d610302265
Instruction ID: cc497877fc936b094b7bb9a92eae210a5e29adc8da2185371d23a589d128f038
Opcode Fuzzy Hash: 38fba1b10a73d125ad2d828dae73c45d01bff8c9a6c43e56d7e8c8d610302265
Instruction Fuzzy Hash: C2928CB1E00616DFDB08DF24FD855AA3BBBFB84301B116519E446A33B1E7709AA1CF91

Function 00619B00 Relevance: 2.2, APIs: 1, Instructions: 701COMMON

Download Yara Rule

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 00619C49

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 1f7d02fb4a03795e7174179093512181510261e5878982f0da9aa72f22cce5a5
Instruction ID: c15164b44a273b052e9059e59f9e1d4f503d39a5640d6bc8487c332de6a9794c
Opcode Fuzzy Hash: 1f7d02fb4a03795e7174179093512181510261e5878982f0da9aa72f22cce5a5
Instruction Fuzzy Hash: 78620271900216CFD708EFA0FD96AEA37B7FB94300F106019E146A72B5EB705A95CF96

Function 0061E70B Relevance: 2.0, Strings: 1, Instructions: 773COMMON

Download Yara Rule

Strings

Bzb, xrefs: 0061F276

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: Bzb
API String ID: 0-2804807757
Opcode ID: 45c683619997e188e285cdc797486390f96f5a9a6ee1bc942c12261ea0462aca
Instruction ID: 86f9c0ef654867d6f2b8a100bb2bb918270b969cb1a7d787f8928462f4923434
Opcode Fuzzy Hash: 45c683619997e188e285cdc797486390f96f5a9a6ee1bc942c12261ea0462aca
Instruction Fuzzy Hash: D272DA7AA11612CFC318CF28FD850A03BB3FB4935031A752AD886E7274E77199A5CF85

Function 006122A0 Relevance: 1.8, APIs: 1, Instructions: 598sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 006208B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00620929
Part of subcall function 006208B0: __aulldiv.LIBCMT ref: 00620953

Part of subcall function 00601200: Sleep.KERNEL32(000003E8), ref: 0060139B

Sleep.KERNEL32(000008AE), ref: 00612C03

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: SleepTime$FileSystem__aulldiv
String ID:
API String ID: 3227937447-0
Opcode ID: a221c08a113d5b32ee3c6758ff3ea7436fa72f3c029808c7d82a77e7e0ed83c9
Instruction ID: ad4a3bf630033c317201f286cf90648cdec06043c58e657dcdb978a327eaee17
Opcode Fuzzy Hash: a221c08a113d5b32ee3c6758ff3ea7436fa72f3c029808c7d82a77e7e0ed83c9
Instruction Fuzzy Hash: 6B424771A00205CFD708DF60FDA6AAA3BB3FB44310F14B11AE446A72B5EB7059A5CF95

Function 005FD760 Relevance: 1.7, Strings: 1, Instructions: 473COMMON

Download Yara Rule

Strings

viH, xrefs: 005FDE93

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: viH
API String ID: 0-3523788874
Opcode ID: 0a63f648e529e71374bd0957099a9a46860ef25ebc881449cbe0c98b015fd622
Instruction ID: 6bd01903ac0d19968acf2a00b9efacc668268f1e97ee25762d0fd5c5aae7dff2
Opcode Fuzzy Hash: 0a63f648e529e71374bd0957099a9a46860ef25ebc881449cbe0c98b015fd622
Instruction Fuzzy Hash: 1C123471A00605CFC708DF25FD955793BB7FBA4310711B02AE94AC72B5EB7888A1CBA5

Function 00620A90 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

DH@ , xrefs: 00620BF7

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: DH@
API String ID: 0-2158797763
Opcode ID: acfc562cfc1550749304191076e5c38a9c13b3a62ae10ef1f85c374de2d44f94
Instruction ID: af78b23ffb1f4357e5b2f80b1f4eb9b0ffc11c150fe701cc60de91bd23ccc96c
Opcode Fuzzy Hash: acfc562cfc1550749304191076e5c38a9c13b3a62ae10ef1f85c374de2d44f94
Instruction Fuzzy Hash: C7D15276A01600CFD358CF68FD810657BF3FBA6310715B11AD485973B5EB789892CB91

Function 00625930 Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

63{, xrefs: 00625A32

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: 63{
API String ID: 0-1405228871
Opcode ID: cb5f1dcf1f3d49930f5e568c64e48afece521d6b3ece4046ff75dfc035cefb35
Instruction ID: df3624bee8fd37b338fe961ba345f4c072d3bbdf4755c93f546db43c88cc0675
Opcode Fuzzy Hash: cb5f1dcf1f3d49930f5e568c64e48afece521d6b3ece4046ff75dfc035cefb35
Instruction Fuzzy Hash: 61C1B971A00A61CFC318DF28FC962213BB3FB94321761751AE486873B9E77598A1CF84

Function 005FC660 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 005FC692

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: bfdd0cdf9bab855767b50d98e511dfd08948813ffe316920e39c7841725e261b
Instruction ID: 50f6f88ef0717f5785c1e7dac92f0ab35882d5f45aa60651242dc069acf004ed
Opcode Fuzzy Hash: bfdd0cdf9bab855767b50d98e511dfd08948813ffe316920e39c7841725e261b
Instruction Fuzzy Hash: E4E0E571D022089FC744DFA8ED454AEBBF6FB88300B40999AF418AB2A0EB7456508FC5

Function 006097B0 Relevance: .9, Instructions: 866COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee980be121f98564dc317ae83c789f85ffb43d33e6feca002a97bfb8469a885f
Instruction ID: 20aab57d84666fea15da2906fa976467c1361aac28d4822ef280fce6e1a0d418
Opcode Fuzzy Hash: ee980be121f98564dc317ae83c789f85ffb43d33e6feca002a97bfb8469a885f
Instruction Fuzzy Hash: 018254B1A00602CFD708EF64FD951AA3BB3FB91350B11701AE486972FAE77549A1CF85

Function 005F1490 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3268c65333534322488bc49fe8207b7337cf79d75503f16a0d25a743ecf8145
Instruction ID: e96760cfab35d0fd2f6c2d5fc9a548437f497037dce923585cfc01e863b23310
Opcode Fuzzy Hash: f3268c65333534322488bc49fe8207b7337cf79d75503f16a0d25a743ecf8145
Instruction Fuzzy Hash: E5022172A01A15CFD708DF29FE990643FB3F795311312B11AD58A972B8EBB448A5CF84

Function 00614EA0 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db6b8f0d0abeabde0665f3141ba3c4403617f5c11bc4f3f9772658450ea4db67
Instruction ID: 1c5b836d069ef50b6793a7f5ab6c0116c9a8047838521db1b9bf30006fc3ef4d
Opcode Fuzzy Hash: db6b8f0d0abeabde0665f3141ba3c4403617f5c11bc4f3f9772658450ea4db67
Instruction Fuzzy Hash: 47F11471B11600CFD708DF65FC991A57BB3FBC8301726A11AD486A32B9EB7588A1CF84

Function 00620220 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a43a606924918a6a406d788d84bf9aa1ea698d98e2816a26f1babefc0c248a
Instruction ID: e0d3c27455b0990b70f1537fb360e903e895fc7b83d3e93891f725fe10bd4690
Opcode Fuzzy Hash: 38a43a606924918a6a406d788d84bf9aa1ea698d98e2816a26f1babefc0c248a
Instruction Fuzzy Hash: F9E14671A00A15CFE718DF24FC452B53BE3F7A4321F10A12AE846932B6E7708995CF91

Function 005FF330 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 346d99150cb43941800abd94daefc15ba0a6ae7cbf64c9980c478a7b67bc50a6
Instruction ID: bfa964bd9a9ade4d4fca726241f3b4b1253c3cbc9e0194f612dd6fb31c9b77be
Opcode Fuzzy Hash: 346d99150cb43941800abd94daefc15ba0a6ae7cbf64c9980c478a7b67bc50a6
Instruction Fuzzy Hash: 49D1EB75A00605CFDB08CF28FC851757BB3FB89321312A52AE886877B4EB749891CF91

Function 0060A0A6 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5365a457a4a2eee4782293d85258667f157312fdc96679f6ca4ad2d2a6cf01ed
Instruction ID: 53ffc257a561a54dca7f50b47bd2a5abb16210e0b7d8e7c2faa32bf515db51d4
Opcode Fuzzy Hash: 5365a457a4a2eee4782293d85258667f157312fdc96679f6ca4ad2d2a6cf01ed
Instruction Fuzzy Hash: ECD142B5A44706CFC709DFA4FC862AA3BB3F791350F10715AD482872B5E7758991CB82

Function 00606C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00FE38D0,Function_00011860), ref: 00606D72
SetServiceStatus.ADVAPI32(00000000,006605F8), ref: 00606DD5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00606DE9
SetServiceStatus.ADVAPI32(00000000,006605F8), ref: 00606E8A
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00606EBE
SetServiceStatus.ADVAPI32(00000000,006605F8), ref: 00606F2B
CloseHandle.KERNEL32(00000000), ref: 00606F42
SetServiceStatus.ADVAPI32(00000000,006605F8), ref: 00606FAA

Strings

=ZMI, xrefs: 00606D10

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: =ZMI
API String ID: 3399922960-150576250
Opcode ID: d41bd93ad5ddf1219d9791ad652db0d25289b9062e543927085e643b5b0e17db
Instruction ID: e66d8a316e05e122bb0364a14954ce183094d04db519b094b513ef48397b77cb
Opcode Fuzzy Hash: d41bd93ad5ddf1219d9791ad652db0d25289b9062e543927085e643b5b0e17db
Instruction Fuzzy Hash: 6391EEB0941302CFE308CF65FE895663BBBFB98711701B52AE44AC22B4D7B444A5CF96

Function 00604380 Relevance: 10.9, APIs: 7, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006044A7
Process32First.KERNEL32(00000000,?), ref: 006045C2
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 006047CE
Module32First.KERNEL32(00000000,00000224), ref: 00604842
CloseHandle.KERNEL32(00000000,0000000A), ref: 0060495A
Process32Next.KERNEL32(?,00000128), ref: 006049AD
CloseHandle.KERNEL32(00000000), ref: 00604A20

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID:
API String ID: 930127669-0
Opcode ID: 8a1acdd3e36523a02121b4418bbcbebab46e0f0bbea32270465b4e1004a68efa
Instruction ID: 84f32874187daf75d3144b59859184c122868fac69182b17abb92d919ba5bb42
Opcode Fuzzy Hash: 8a1acdd3e36523a02121b4418bbcbebab46e0f0bbea32270465b4e1004a68efa
Instruction Fuzzy Hash: 6EF145B1A00601CFD318DF24FD8A6A63BB7FB84311B007159E54A872B4EBB489A5CF91

Function 005FBBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005FBC90
Process32First.KERNEL32(00000000,?), ref: 005FBCE3
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005FBDDD

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 01197a434c03e619b4147f3b61f3cac8d317a4bc2ecab3f1daef9e2d762dce89
Instruction ID: 35f40fa72163fe95f5ccdc1aedd74d361c04a28c69d303aa748e2cd70f502116
Opcode Fuzzy Hash: 01197a434c03e619b4147f3b61f3cac8d317a4bc2ecab3f1daef9e2d762dce89
Instruction Fuzzy Hash: 6D911275500616CFD718CF24FC996B93BBBFB98311B01B11AE506972B0DB788994CF81

Function 00601530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 006015C3
GetFileTime.KERNEL32(00000000,?,?,?), ref: 0060168A
CloseHandle.KERNEL32(00000000), ref: 006016A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00601715
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00601774
CloseHandle.KERNEL32(00000000), ref: 00601792

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 17b3bcc7a5e8b8971221f1e5c02a98754a8a1b958f295a0add2da97daa8f229c
Instruction ID: c2eef4158581a29bf1da5f79c58c531d67f24f8e75ae1a0475c5a3b4ccf7fdfd
Opcode Fuzzy Hash: 17b3bcc7a5e8b8971221f1e5c02a98754a8a1b958f295a0add2da97daa8f229c
Instruction Fuzzy Hash: 19713F71A01204DFC704DFA6FC85679BBB7FB85711F21661AE44AA32B0E7B008A0CF81

Function 005FBD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005FBDDD
TerminateProcess.KERNEL32(00000000,000000FF), ref: 005FBE24
CloseHandle.KERNEL32(00000000), ref: 005FBE68
Process32Next.KERNEL32(00000000,00000128), ref: 005FBF01
CloseHandle.KERNEL32(00000000), ref: 005FBF2F

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate
String ID:
API String ID: 3173823348-0
Opcode ID: a3d2cdfa18ed7fa22c405ed97590d68e17fe54564d9c1ab9dcf791c069c6fe54
Instruction ID: f977074abca0c089bf66d690731dee8cdabcd67ee5f5816e9e5a1dacd90ef9c6
Opcode Fuzzy Hash: a3d2cdfa18ed7fa22c405ed97590d68e17fe54564d9c1ab9dcf791c069c6fe54
Instruction Fuzzy Hash: 27512175A01605CFD718CB20FC99AB937FBFB98321B01A15AE606932B0DB748990CF80

Function 00625440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,0060E92E,0060CA40,00000000,?), ref: 006254B2
CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 006254E4
CloseHandle.KERNEL32(00000000,?,0060E92E,0060CA40,00000000,?), ref: 0062551D
WaitForSingleObject.KERNEL32(?,000000FF,?,0060E92E,0060CA40,00000000,?), ref: 00625538
CloseHandle.KERNEL32(?,?,000000FF,?,0060E92E,0060CA40,00000000,?), ref: 0062554B

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 1c6a5c7a4fa8dbfe851078d253b4e646eed710a4b6d7f88245b5c6a3da9725ff
Instruction ID: 8364f135d81cd4c903742ceee366fcc9623f30440c36b73c7c3772acef8cf670
Opcode Fuzzy Hash: 1c6a5c7a4fa8dbfe851078d253b4e646eed710a4b6d7f88245b5c6a3da9725ff
Instruction Fuzzy Hash: 48318730600700EBD3148F64FC56B667BE6FB48711F10A109E6869B2B4DBB09890CFE1

Function 005FD000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005FD11A
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 005FD1CC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 005FD3EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 005FD2E9

Part of subcall function 0061FCC0: ReleaseMutex.KERNEL32(005FD410,?,005FD410,00000114), ref: 0061FCE9

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: CloseFileHandle$CreateMutexReadRelease
String ID:
API String ID: 1760212717-0
Opcode ID: 77cfdf73ea45ef953866beb9cd09106211ea73bafb12d873cfca62d48abd2f29
Instruction ID: 035bd8b08cb652d3f2c49af596d49b1e49b961c1ed49b554c7b59881508b8605
Opcode Fuzzy Hash: 77cfdf73ea45ef953866beb9cd09106211ea73bafb12d873cfca62d48abd2f29
Instruction Fuzzy Hash: CBB16571600A05DBD7089F20FC866693BB7FBC4312F11B455E646872F0EB7159A4CF96

Function 006068D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,006003A9,00000000,?), ref: 00606957
RtlReAllocateHeap.NTDLL(00000000,?,006003A9,00000000), ref: 0060695E
GetProcessHeap.KERNEL32(00000000,?,?,006003A9,00000000,?), ref: 006069C8
HeapAlloc.KERNEL32(00000000,?,006003A9,00000000,?), ref: 006069CF

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 5f1284186c6025e7baddca4918051cde349b45dee5c92a86bc259f5a6a2a2f52
Instruction ID: 06d842b281e92bd6dd517c1e84235b527c61a5f13da78b86bd620178ffa865a7
Opcode Fuzzy Hash: 5f1284186c6025e7baddca4918051cde349b45dee5c92a86bc259f5a6a2a2f52
Instruction Fuzzy Hash: 1321BBB1640704DFD7089F20FE8A6513BBBFB50310B62B404E589522B8EB71A8B0CF94

Function 00610FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

XH, xrefs: 0061153C
/, xrefs: 0061100F

Memory Dump Source

Source File: 00000004.00000002.1315868879.00000000005F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000004.00000002.1315851780.00000000005F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315921462.0000000000627000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000062E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.0000000000669000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1315941959.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.1316064158.000000000067B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_5f0000_mtuXDnH1Di.jbxd

Similarity

API ID:
String ID: XH$/
API String ID: 0-571299465
Opcode ID: 1c95239a7c2014c9d9b06b1448043f8f8cbfd9e649932f7d485978456d7be797
Instruction ID: a7709dd5e0095bdc049e2dd32ad94876a1da45451d4d136adaf24e92a9633079
Opcode Fuzzy Hash: 1c95239a7c2014c9d9b06b1448043f8f8cbfd9e649932f7d485978456d7be797
Instruction Fuzzy Hash: 94F13571900215CFD718EF60FC96ABA3BBBFB55300F006129E50A572A1EBB44A95CF95

Analysis Process: qbf43feev7f7qnhdav.exePID: 8076, Parent PID: 7992COMMON

Execution Graph

Execution Coverage:	11.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.3%
Total number of Nodes:	1716
Total number of Limit Nodes:	18

Executed Functions

Function 00BA7A04 Relevance: 63.6, APIs: 29, Strings: 6, Instructions: 2326sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00BA83DA
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00BA8448
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00BA84DC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00BA84F7
GetTickCount.KERNEL32 ref: 00BA8599

Part of subcall function 00BB5200: GetVersionExA.KERNEL32(00C2AE70), ref: 00BB52CC

Sleep.KERNEL32(00000D05), ref: 00BA8B70
Sleep.KERNEL32(000007D0), ref: 00BA8DAC
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00BA8E86
SetFileAttributesA.KERNEL32(?,00000080), ref: 00BA8E9F
CopyFileA.KERNEL32(?,?,00000000), ref: 00BA8EC3
SetFileAttributesA.KERNEL32(?,00000002), ref: 00BA912B
SetFileAttributesA.KERNEL32(?,00000080), ref: 00BA9186
GetCommandLineA.KERNEL32 ref: 00BA9265
GetModuleFileNameA.KERNEL32(00000000,?), ref: 00BA9370

Part of subcall function 00BAA4E0: lstrlen.KERNEL32(?), ref: 00BAA4FE

Part of subcall function 00BAD500: lstrlen.KERNEL32(?,?,00BAD630,?), ref: 00BAD523

MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 00BA96D4
WSAStartup.WS2_32(00000202,?), ref: 00BA995E
CloseHandle.KERNEL32(00000134), ref: 00BA9AC8
SetFileAttributesA.KERNELBASE(?,00000080), ref: 00BA9AEC
CopyFileA.KERNEL32(?,?,00000000), ref: 00BA9B0C
SetFileAttributesA.KERNELBASE(?,00000002), ref: 00BA9B3B
Sleep.KERNELBASE(000003E8), ref: 00BA9C52
Sleep.KERNEL32(000003E8), ref: 00BA8CB2

Part of subcall function 00BABBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BABC90
Part of subcall function 00BABBC0: Process32First.KERNEL32(00000000,?), ref: 00BABCE3

GetCommandLineA.KERNEL32 ref: 00BA86AE

Part of subcall function 00BA2800: ExitProcess.KERNEL32 ref: 00BA2842

Part of subcall function 00BD08B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00BD0929
Part of subcall function 00BD08B0: __aulldiv.LIBCMT ref: 00BD0953

Sleep.KERNEL32(000007D0), ref: 00BA9E32
SetFileAttributesA.KERNEL32(C:\whfkpbh\amdrhfskpcu.exe,00000080), ref: 00BA9E88
CopyFileA.KERNEL32(?,C:\whfkpbh\amdrhfskpcu.exe,00000000), ref: 00BA9EA6
SetFileAttributesA.KERNEL32(C:\whfkpbh\amdrhfskpcu.exe,00000002), ref: 00BA9EC5

Part of subcall function 00BB0500: OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00BB0537
Part of subcall function 00BB0500: CreateServiceA.ADVAPI32(00000000,00A8FC10,00A8FC10,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00BB0596
Part of subcall function 00BB0500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00BB0615
Part of subcall function 00BB0500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00BB062A

CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 00BAA26A
Sleep.KERNEL32(0000C350), ref: 00BAA327

Strings

C:\Users\user, xrefs: 00BA83D4
%Tmd, xrefs: 00BA8421
C:\whfkpbh\amdrhfskpcu.exe, xrefs: 00BA98CE, 00BA9909, 00BA9E83, 00BA9E90, 00BA9EC0, 00BAA17B
zS, xrefs: 00BA9CD7
@L, xrefs: 00BA7E24
}en, xrefs: 00BA9856

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartStartupSystemThreadTickToolhelp32VariableVersion__aulldiv
String ID: zS$%Tmd$C:\Users\user$C:\whfkpbh\amdrhfskpcu.exe$@L$}en
API String ID: 3864866415-2975630685
Opcode ID: fcb67e31663b281df9b1553a1ac4267c7673542bd33b2d5d5adf1ac8db9ba1ca
Instruction ID: 136f8dc73bb861cd3892d941dc4cb40e86b62f64cc1436c3203476d480d4b135
Opcode Fuzzy Hash: fcb67e31663b281df9b1553a1ac4267c7673542bd33b2d5d5adf1ac8db9ba1ca
Instruction Fuzzy Hash: DA231D71A14241DFD714AF24FCDABAE3BB4FB96300B11855AE4428B6B5EF7088A1CF51

Function 00BB5200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00C2AE70), ref: 00BB52CC
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00BB549F
DeleteFileA.KERNELBASE(?), ref: 00BB56FE
RemoveDirectoryA.KERNELBASE(00000000), ref: 00BB5743
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00BB583A
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00BB58F3
CreateDirectoryA.KERNEL32(?,00000000), ref: 00BB5D71
CreateDirectoryA.KERNEL32(?,00000000), ref: 00BB5E82
GetTempPathA.KERNEL32(00000104,?), ref: 00BB6029
CreateDirectoryA.KERNEL32(?,00000000), ref: 00BB61FF
GetTempPathA.KERNEL32(00000104,?), ref: 00BB63DE
SetFileAttributesA.KERNELBASE(?,00000002), ref: 00BB655F

Strings

r9:, xrefs: 00BB6085
C:\Users\user, xrefs: 00BB5B3A, 00BB5C6A
aE'P, xrefs: 00BB5BDE
\, xrefs: 00BB6092
C:\whfkpbh\, xrefs: 00BB5851, 00BB5D90, 00BB61A2, 00BB63F5

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Users\user$C:\whfkpbh\$\$aE'P$r9:
API String ID: 1691758827-3642148351
Opcode ID: 28f55f0b92d09cb7801edd7a7ec7766d33d4a42c127122dce3f7e35d135624f1
Instruction ID: 8d3cc52c70e1bf01522dcaed5a3af053bf5bac956b6c06c9b7c1f1696bf09a8a
Opcode Fuzzy Hash: 28f55f0b92d09cb7801edd7a7ec7766d33d4a42c127122dce3f7e35d135624f1
Instruction Fuzzy Hash: ADA230B2A11201CBC714EF24FCD6BFD3BB0F795300B11856AE5429B6B5EB7488A5CB45

Function 00BBA930 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 829
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00BBAACC

Strings

#~\, xrefs: 00BBB319

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: HeapProcess
String ID: #~\
API String ID: 54951025-95464956
Opcode ID: 001da0031c7d854d4259cefee05c73991a9156552ef9041abf7db0661a7b6452
Instruction ID: 94af1ac4818c443fd97f9bcaa7f5899138af7fd39b07af6c914cbb17f625cdcb
Opcode Fuzzy Hash: 001da0031c7d854d4259cefee05c73991a9156552ef9041abf7db0661a7b6452
Instruction Fuzzy Hash: DC720E75A11245CFC314DF24FCD57B97BF0FB9A311B11856AD8468B2B0EBB088A2CB95

Function 00BB0500 Relevance: 13.7, APIs: 9, Instructions: 170
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenSCManagerA.SECHOST(00000000,00000000,00000002), ref: 00BB0537
CreateServiceA.ADVAPI32(00000000,00A8FC10,00A8FC10,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00BB0596
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00BB0615
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00BB062A
CloseServiceHandle.SECHOST(00000000), ref: 00BB06A7
OpenServiceA.ADVAPI32(00000000,00A8FC10,00000010), ref: 00BB06EB
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00BB072D
CloseServiceHandle.ADVAPI32(00000000), ref: 00BB073E
CloseServiceHandle.ADVAPI32(00000000), ref: 00BB07A8

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: d5ab5756ba455503801bd094916d108fb80e85d84e7397dbb38e42579afb3f61
Instruction ID: 2441e06e5f9d76acbd0c7717aadd34a046d4d771f4524be34c10bff541864511
Opcode Fuzzy Hash: d5ab5756ba455503801bd094916d108fb80e85d84e7397dbb38e42579afb3f61
Instruction Fuzzy Hash: 6361C031621240EFD324AF24FC8ABBD7BB4FB85701F118505E542AB6B4DBB498A2CF45

Function 00BB0920 Relevance: 4.8, APIs: 3, Instructions: 254
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75960000,00000000), ref: 00BB0A8A
GetProcAddress.KERNEL32(75960000,00000000), ref: 00BB0B05
CryptGenRandom.ADVAPI32(00000000,00000004,?,?), ref: 00BB0C10

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: AddressProc$CryptRandom
String ID:
API String ID: 646182245-0
Opcode ID: ca8b1e44ef19e2cbb5649e7889b59e905a4e0c884cc3aed09b14f4fc50707ce2
Instruction ID: 4ec3445b43bf254bcc0d50a9cdbb79e9d8166e422bf2c0def2a14ad544993dce
Opcode Fuzzy Hash: ca8b1e44ef19e2cbb5649e7889b59e905a4e0c884cc3aed09b14f4fc50707ce2
Instruction Fuzzy Hash: C2B163B1A20301CBC324EF68FD953BD3BB4FB46710B11812AE4459B6B8EB748852CB85

Function 00BC9B00 Relevance: 2.2, APIs: 1, Instructions: 701
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 00BC9C49

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 6a0fc664e120d4c4feba9ddf0454503dd16f8a61aced15c8cdaba82a02915ce5
Instruction ID: 0073e1b6664602c1a69f2118277a162746cf9aba60d5c01d8f80dfb9bee059cf
Opcode Fuzzy Hash: 6a0fc664e120d4c4feba9ddf0454503dd16f8a61aced15c8cdaba82a02915ce5
Instruction Fuzzy Hash: 0162DB71910245CBDB14EF60ECD6BEE7BB8FB55300F10809AE002AB6B5EF705A96CB55

Function 00BCFA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00BBED48,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00BCFBF1
CloseHandle.KERNEL32(00BBED48,?,?,?,?,?,00000000), ref: 00BCFC2F
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00BCFC58

Strings

D, xrefs: 00BCFB8F

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 2e20196155849cb9271691935a359379c560ab56e7802e51f5c85a4d91bbb68f
Instruction ID: 666b17eaebd3595a90531316354de78b87fbdfd465d8c71775cc7468148be9fb
Opcode Fuzzy Hash: 2e20196155849cb9271691935a359379c560ab56e7802e51f5c85a4d91bbb68f
Instruction Fuzzy Hash: 2B512031960254DBD304DF64FC82BBE3BF5FB09701F00801AE5069B6B4EB785866CB8A

Function 00BAD000 Relevance: 6.3, APIs: 4, Instructions: 269
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00BAD11A
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00BAD1CC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00BAD3EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00BAD2E9

Part of subcall function 00BCFCC0: ReleaseMutex.KERNEL32(00BAD410,?,00BAD410,00000128), ref: 00BCFCE9

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CloseFileHandle$CreateMutexReadRelease
String ID:
API String ID: 1760212717-0
Opcode ID: 284bf66bded458ca3e1b42427500711b660445d5cb78209d91b17fc5afb1f2b5
Instruction ID: 9da9be231c2e4a1171af88864323be4a97047d5c34504d0ade78dce073ac884b
Opcode Fuzzy Hash: 284bf66bded458ca3e1b42427500711b660445d5cb78209d91b17fc5afb1f2b5
Instruction Fuzzy Hash: F7B175B1611A00DBC714AF24FCC67AD37B5FB84301F128096E5469B6F1EF7049A5CB82

Function 00BB1D90 Relevance: 4.7, APIs: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00BC3110: WaitForSingleObject.KERNEL32(?,00004E20,?,00BAD0F2,00000128), ref: 00BC31AD

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00BB1E7B

Part of subcall function 00BCFCC0: ReleaseMutex.KERNEL32(00BAD410,?,00BAD410,00000128), ref: 00BCFCE9

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: 3e01bf1364f03ef4df69de4e30c67b5aab73ecb4bfbf626bd78a6821631e1163
Instruction ID: a1e98ad606664f67661cd8058e8f6946dae5d202a8e74e0537fefcdc33513413
Opcode Fuzzy Hash: 3e01bf1364f03ef4df69de4e30c67b5aab73ecb4bfbf626bd78a6821631e1163
Instruction Fuzzy Hash: CB710D75611244DFC304DF28FC9ABAE77B4FB85311F428559E8059B6B5EBB09860CF81

Function 00BAB7A0 Relevance: 3.1, APIs: 2, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BAB82B
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00BAB87D

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: 1510ad23da99173ece1ca44aab1e0a838972abb1b60914c8a29a1e1d60655a55
Instruction ID: b67c73e0b2bd480528b3315e6990d12cfbd6b0068e18e314c2789ea6516e6543
Opcode Fuzzy Hash: 1510ad23da99173ece1ca44aab1e0a838972abb1b60914c8a29a1e1d60655a55
Instruction Fuzzy Hash: 45318B74911288EFD7049FA8FE99BBD7BB8FB49300B01815AE8029B2B1DB705955CB51

Function 00BB2EB0 Relevance: 3.0, APIs: 2, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00BB0367,?,00BB0367,00000000), ref: 00BB2ED1
RtlFreeHeap.NTDLL(00000000,?,00BB0367,00000000), ref: 00BB2ED8

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: b89c0302df2d4fdf55645a46d324b40e1a83ccb8bed848aeb2689105ad35c15e
Instruction ID: 676ea2799b1f6d3ed4802f17c8f208a7823d0a71be3c748956cb3933fdaf593f
Opcode Fuzzy Hash: b89c0302df2d4fdf55645a46d324b40e1a83ccb8bed848aeb2689105ad35c15e
Instruction Fuzzy Hash: D9017C35614284CBCB288F64FEA67BD3BF9F744720710821AE11A8F6B0DB709895CB55

Function 00BAE2C0 Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00BD220A,02167FFC,?,?,?,?,00BC463C), ref: 00BAE2F8
RtlAllocateHeap.NTDLL(00000000,?,00BD220A,02167FFC,?,?,?,?,00BC463C), ref: 00BAE2FF

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 90895f25d10624fbe8f6f7034ae275504b9f19c052ad8fb55f78cf89c3b3e153
Instruction ID: 643f0cd9ce52c92871de62415627bbe95caa0a7a8896799dfa530f99aca8c82f
Opcode Fuzzy Hash: 90895f25d10624fbe8f6f7034ae275504b9f19c052ad8fb55f78cf89c3b3e153
Instruction Fuzzy Hash: 28E08676145241AFC704DFE9ECED6A573F8E704305B00401AF60DCF262EF31A5948B90

Function 00BC3CF0 Relevance: 1.6, APIs: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00BC3E0B

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c78d803b4765b3003254c6caaae7c79431e448050a19c04c779572660783162f
Instruction ID: a64d9e4c93626f55e98548851c0d4b319cd0da85956ecc35b156739b121b6c7a
Opcode Fuzzy Hash: c78d803b4765b3003254c6caaae7c79431e448050a19c04c779572660783162f
Instruction Fuzzy Hash: CD412272621344DBC324AF20FC82BE93BF1F799B00F628559E6419B5B4EF704991CB95

Function 00BC45A9 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00BC4699

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 6dd1e9cea452373f94be792c66a0fabad33ff6d771aa7c831c472a9f1711f8ff
Instruction ID: 40a44e3eff345fadbc325a336f35ed834250ec0b0097203bfb1b65fa167367f4
Opcode Fuzzy Hash: 6dd1e9cea452373f94be792c66a0fabad33ff6d771aa7c831c472a9f1711f8ff
Instruction Fuzzy Hash: 6911E2725612428BD724BF64FE8AB7937F4FB5230930144AAD0469B279FF308511DB81

Function 00BA2800 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00BA2842

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: a2c9e14bdbd010eb1ec147276aed3b736c8f3471f554a5e92933db311e5366ee
Instruction ID: 24de66a21b076291c54bd103f20efe4a179ed041979b671242c0fbea2cadb518
Opcode Fuzzy Hash: a2c9e14bdbd010eb1ec147276aed3b736c8f3471f554a5e92933db311e5366ee
Instruction Fuzzy Hash: 19E0863801120A8BC314DF15D8A6E7AB7A6EB45304754C15B99161B660EE39E485CF41

Function 00BAA4E0 Relevance: 1.3, APIs: 1, Instructions: 33
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00BAA4FE

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: a1dd4103f8906709deede287f5a20454cb683b044a793ff8c6349ac359d3177f
Instruction ID: 99df18beaa20d3351e43554d67ec580b38925a421e3143392c5cb571ccdf7744
Opcode Fuzzy Hash: a1dd4103f8906709deede287f5a20454cb683b044a793ff8c6349ac359d3177f
Instruction Fuzzy Hash: E2F0AF71116210EFD7015F22FD4D3EE37F8FB4A3613418002E4069B275EB748822DB86

Non-executed Functions

Function 00BAAF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00BAB0AA
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00BAB15A
GetLastError.KERNEL32 ref: 00BAB17A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00BAB216
CloseServiceHandle.ADVAPI32(00000000), ref: 00BAB41C

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 2fab5a4c5fb0c81abc04605811b18843bb6273f70b3626c3aa9cb668288e726d
Instruction ID: c7d0e7e200287a64661227ed92fd65c5183d8f9334647e9d7c7abe7844f79f39
Opcode Fuzzy Hash: 2fab5a4c5fb0c81abc04605811b18843bb6273f70b3626c3aa9cb668288e726d
Instruction Fuzzy Hash: 4BF176B6901201DFC314DF64FCD9BAE7BF0F796310B11815AD5529B6B5EB3088A1CB45

Function 00BC9580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00000001), ref: 00BC9679
FindFirstFileA.KERNEL32(?,?), ref: 00BC97B8
DeleteFileA.KERNEL32(?), ref: 00BC98A9
FindNextFileA.KERNEL32(00000000,?), ref: 00BC98CB
FindClose.KERNEL32(00000000), ref: 00BC98E4

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 778bc89244d4adce09b744295506115a3289fbcc9e028aa630f858217eb8ab22
Instruction ID: 97e7f877812ad8951b21b2a73072a4b69613a0a0c939f7681cecbc0d2678f85a
Opcode Fuzzy Hash: 778bc89244d4adce09b744295506115a3289fbcc9e028aa630f858217eb8ab22
Instruction Fuzzy Hash: A4913E75911241CFD324DF24FC96BED3BB1FB9A300B51C55AE8429BA70EB348992CB91

Function 00BB6C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00A8FC10,Function_00011860), ref: 00BB6D72
SetServiceStatus.ADVAPI32(00000000,00C105F8), ref: 00BB6DD5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00BB6DE9
SetServiceStatus.ADVAPI32(00000000,00C105F8), ref: 00BB6E8A
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00BB6EBE
SetServiceStatus.ADVAPI32(00000000,00C105F8), ref: 00BB6F2B
CloseHandle.KERNEL32(00000000), ref: 00BB6F42
SetServiceStatus.ADVAPI32(00000000,00C105F8), ref: 00BB6FAA

Strings

=ZMI, xrefs: 00BB6D10

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: =ZMI
API String ID: 3399922960-150576250
Opcode ID: 16825b4c3b683e96fa4214975e28acecf8d1de88321f92c8157a8d1580041181
Instruction ID: 4fbb616213d9a48d945fd850b17e4a87983fc330b7a143fc4de5f5a8acbccdf9
Opcode Fuzzy Hash: 16825b4c3b683e96fa4214975e28acecf8d1de88321f92c8157a8d1580041181
Instruction Fuzzy Hash: 8991C9B4601252CFC304DF24FC997AD3BB5F79A300721C11AE4568B2B4DBB888A6CF49

Function 00BB4380 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB44A7
Process32First.KERNEL32(00000000,?), ref: 00BB45C2
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00BB47CE
Module32First.KERNEL32(00000000,00000224), ref: 00BB4842
CloseHandle.KERNEL32(00000000,0000000A), ref: 00BB495A
Process32Next.KERNEL32(?,00000128), ref: 00BB49AD
CloseHandle.KERNEL32(00000000), ref: 00BB4A20

Strings

Eln_, xrefs: 00BB48DE, 00BB48ED

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID: Eln_
API String ID: 930127669-3437842203
Opcode ID: 1b8d5d73fe984ffedac0c8ed54342d512a922283bd9b9b5c823364540c7475f0
Instruction ID: 18495ef42f8246adef20f4b78ac1cc122262308bfd81495f59e3b68bfc5e8c0e
Opcode Fuzzy Hash: 1b8d5d73fe984ffedac0c8ed54342d512a922283bd9b9b5c823364540c7475f0
Instruction Fuzzy Hash: B7F12D71A11680CFD718DF28FCD67B93BB5F785300B01859AE4868B2B5EF7488A6CB41

Function 00BACA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 00BACB20
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00BACB5D
CloseHandle.KERNEL32(00000000), ref: 00BACBBD
GetTickCount.KERNEL32 ref: 00BACC1D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00BACED4
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00BACF0E
CloseHandle.KERNEL32(00000000), ref: 00BACF47

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 35a5f24080c16575748d49955566dfbddb24d12bc145dddea22fcf31a2d2e88a
Instruction ID: 0e2ad32d17739a0d173da518c26315343c794ce8fb435ef99d7c12102a66f16d
Opcode Fuzzy Hash: 35a5f24080c16575748d49955566dfbddb24d12bc145dddea22fcf31a2d2e88a
Instruction Fuzzy Hash: FBE143B5A01640DFD304EF24FD99BBD3BB4FB86710B11811AE8469B2B4EF308966CB55

Function 00BABBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BABC90
Process32First.KERNEL32(00000000,?), ref: 00BABCE3
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BABDDD

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 04ab066d65523b1870c4c0e23eff9e36cc8da38a3db198edc8cebca3dd3548c9
Instruction ID: 28c568902092079d0e8f70cb2fadeff0fe4ca373ed9c015e669686df62bff70c
Opcode Fuzzy Hash: 04ab066d65523b1870c4c0e23eff9e36cc8da38a3db198edc8cebca3dd3548c9
Instruction Fuzzy Hash: CC910D75611205CFC714CF24FCE9BAA7BF9FB99314B01816AE4028B2B1EF348995CB40

Function 00BB1530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00BB15C3
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00BB168A
CloseHandle.KERNEL32(00000000), ref: 00BB16A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BB1715
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00BB1774
CloseHandle.KERNEL32(00000000), ref: 00BB1792

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 68c47ce6e52bb3c67db3518dd42519e90c105d74c02bf424316b4b7b57803010
Instruction ID: 1bae287d25f7540b13ac7aa7a9a4d90ea907d8b7f7db55950da747a5a296f294
Opcode Fuzzy Hash: 68c47ce6e52bb3c67db3518dd42519e90c105d74c02bf424316b4b7b57803010
Instruction Fuzzy Hash: A4711D71A12204DFC710EF69FCC57BDBBB4FB86700B21855AE446976B4EB740866CB80

Function 00BABD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BABDDD
TerminateProcess.KERNEL32(00000000,000000FF), ref: 00BABE24
CloseHandle.KERNEL32(00000000), ref: 00BABE68
Process32Next.KERNEL32(00000000,00000128), ref: 00BABF01
CloseHandle.KERNEL32(00000000), ref: 00BABF2F

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate
String ID:
API String ID: 3173823348-0
Opcode ID: edcaada77baf175c11cdfdbde02fd0a02e1269fd5fb6d2c9826e4aeb4fcba6f0
Instruction ID: 6a542206ce25a9c990b3ed356ba6f0168e8a9458f0756521fd06698ddf33cfe7
Opcode Fuzzy Hash: edcaada77baf175c11cdfdbde02fd0a02e1269fd5fb6d2c9826e4aeb4fcba6f0
Instruction Fuzzy Hash: D8513E79A11205CFC714DF20FCE5BAA3BF5FB99315B11819AE4068B260EF348985CF40

Function 00BD5440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00BBE92E,00BBCA40,00000000,?), ref: 00BD54B2
CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00BD54E4
CloseHandle.KERNEL32(00000000,?,00BBE92E,00BBCA40,00000000,?), ref: 00BD551D
WaitForSingleObject.KERNEL32(?,000000FF,?,00BBE92E,00BBCA40,00000000,?), ref: 00BD5538
CloseHandle.KERNEL32(?,?,000000FF,?,00BBE92E,00BBCA40,00000000,?), ref: 00BD554B

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 74d61b591ce128f9915ff7f586d880928a156e175e58312563b1cdd2cf9c5984
Instruction ID: ba5d8189bb6b9420161ba3d6c638c8678743f55c92429fc808d00c7fd4485c46
Opcode Fuzzy Hash: 74d61b591ce128f9915ff7f586d880928a156e175e58312563b1cdd2cf9c5984
Instruction Fuzzy Hash: 4431DB30601701EFC314DF64EC95BA67BE4FB88710F10C40AE6469B6B0EBB09890CB91

Function 00BB1860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00000000,00C105F8), ref: 00BB19BA

Strings

uRh, xrefs: 00BB18A1

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: ServiceStatus
String ID: uRh
API String ID: 3969395364-64653548
Opcode ID: 12c63e8b70c19032ab1114d7af9191c93d7dafda0784c27f5ddf32ad32d6c25d
Instruction ID: 00131fe114b995356656770dff8c48ce48ba717e28508d27e0269477021161e0
Opcode Fuzzy Hash: 12c63e8b70c19032ab1114d7af9191c93d7dafda0784c27f5ddf32ad32d6c25d
Instruction Fuzzy Hash: 0F310B71220285DFD304DF28FCA9B693BB9F3993103528556E0428B274CF3098A2CF01

Function 00BB2120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00BB21D0
Process32First.KERNEL32(00000000,00000128), ref: 00BB2257
Process32Next.KERNEL32(00000000,00000128), ref: 00BB2384
CloseHandle.KERNEL32(00000000), ref: 00BB2426

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 6995a0536a82fdc2eff51d5c59198f7d797a21d2bbcb0c12c3721971cc80f360
Instruction ID: 62abb8cd9854f4cc6a00df302e2f56f04fc6b93a31c5d53e710a3e510b02a245
Opcode Fuzzy Hash: 6995a0536a82fdc2eff51d5c59198f7d797a21d2bbcb0c12c3721971cc80f360
Instruction Fuzzy Hash: B4910A71A11214CBD314DF25FC997F937B4FBA2310F12805AD8429B6B4EBB488A6CF56

Function 00BB68D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00BB03A9,00000000,?), ref: 00BB6957
RtlReAllocateHeap.NTDLL(00000000,?,00BB03A9,00000000), ref: 00BB695E
GetProcessHeap.KERNEL32(00000000,?,?,00BB03A9,00000000,?), ref: 00BB69C8
HeapAlloc.KERNEL32(00000000,?,00BB03A9,00000000,?), ref: 00BB69CF

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 139a793025cd0b1d80874c4f3b77f63fa10d7825bf7c95ca48e4bb00cbb0c5e2
Instruction ID: 5309b93d98f98dbc50b4f9bc76a564c825bea33bffcdbcd7d4905f1153cf43a7
Opcode Fuzzy Hash: 139a793025cd0b1d80874c4f3b77f63fa10d7825bf7c95ca48e4bb00cbb0c5e2
Instruction Fuzzy Hash: D721F071681200DFD708AF20FEC9BE83BB8F745310B628515E585576B8EB7188B1CF50

Function 00BC0FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

/, xrefs: 00BC100F
XH, xrefs: 00BC153C

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID:
String ID: XH$/
API String ID: 0-571299465
Opcode ID: 8cbe10b356bd7b87f88540f56bdf94e22a52e940453e62831ac3e2da5dd3f42c
Instruction ID: ea826a6cdc66c9160cb4380575f8d188b65c342a28043734e203b2e3d1c0b186
Opcode Fuzzy Hash: 8cbe10b356bd7b87f88540f56bdf94e22a52e940453e62831ac3e2da5dd3f42c
Instruction Fuzzy Hash: DBF1EF31911201DBDB14EF64FCA2BFE7BB8FB56300F0085AAE4066B6A1EF704956CB54

Function 00BD50E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(00BC247D,00000001,?,?,00BC247D), ref: 00BD518C
GetTickCount.KERNEL32 ref: 00BD52BE

Strings

@AB , xrefs: 00BD52CD

Memory Dump Source

Source File: 00000006.00000002.1306510666.0000000000BA1000.00000020.00000001.01000000.00000005.sdmp, Offset: 00BA0000, based on PE: true

Associated: 00000006.00000002.1306469544.0000000000BA0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306737320.0000000000BD7000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000BDC000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C19000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306765906.0000000000C2A000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.1306843216.0000000000C2B000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_ba0000_qbf43feev7f7qnhdav.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @AB
API String ID: 2164215191-841575833
Opcode ID: 18ae59a93a5612446190edb431eaabe76b812f0ebaba6cf5c6bbcb8200716682
Instruction ID: 680e0bb89783b7fc6d1db7e316e9a4774711c24734fc6dcd2bdf5e3b884451d4
Opcode Fuzzy Hash: 18ae59a93a5612446190edb431eaabe76b812f0ebaba6cf5c6bbcb8200716682
Instruction Fuzzy Hash: 40510E71A21681CFC328DF69FDC976D7BF1F7953007164056E4868B2B0EB7888A1CB85

Analysis Process: idtpqzltyfy.exePID: 7336, Parent PID: 620COMMON

Execution Graph

Execution Coverage:	16%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1712
Total number of Limit Nodes:	33

Executed Functions

Function 00AA7A04 Relevance: 65.3, APIs: 29, Strings: 7, Instructions: 2326sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 00AA83DA
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00AA8448
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00AA84DC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00AA84F7
GetTickCount.KERNEL32 ref: 00AA8599

Part of subcall function 00AB5200: GetVersionExA.KERNEL32(00B2AE70), ref: 00AB52CC

Sleep.KERNEL32(00000D05), ref: 00AA8B70
Sleep.KERNEL32(000007D0), ref: 00AA8DAC
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00AA8E86
SetFileAttributesA.KERNEL32(?,00000080), ref: 00AA8E9F
CopyFileA.KERNEL32(?,?,00000000), ref: 00AA8EC3
SetFileAttributesA.KERNEL32(?,00000002), ref: 00AA912B
SetFileAttributesA.KERNEL32(?,00000080), ref: 00AA9186
GetCommandLineA.KERNEL32 ref: 00AA9265
GetModuleFileNameA.KERNEL32(00000000,?), ref: 00AA9370

Part of subcall function 00AAA4E0: lstrlen.KERNEL32(00AB2325,00000000,?,00AB2325,?), ref: 00AAA4FE
Part of subcall function 00AAA4E0: CharLowerBuffA.USER32(00AB2325,00000000,?,00AB2325,?), ref: 00AAA550

Part of subcall function 00AAD500: lstrlen.KERNEL32(?,?,00AC965D,?,00000104,?,00000001), ref: 00AAD523

MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 00AA96D4
WSAStartup.WS2_32(00000202,?), ref: 00AA995E
CloseHandle.KERNEL32(00000130), ref: 00AA9AC8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00AA9AEC
CopyFileA.KERNEL32(?,?,00000000), ref: 00AA9B0C
SetFileAttributesA.KERNEL32(?,00000002), ref: 00AA9B3B
Sleep.KERNEL32(000003E8), ref: 00AA9C52
Sleep.KERNEL32(000003E8), ref: 00AA8CB2

Part of subcall function 00AABBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AABC90
Part of subcall function 00AABBC0: Process32First.KERNEL32(00000000,?), ref: 00AABCE3

GetCommandLineA.KERNEL32 ref: 00AA86AE

Part of subcall function 00AA2800: ExitProcess.KERNEL32 ref: 00AA2842

Part of subcall function 00AD08B0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00AC247D), ref: 00AD0929
Part of subcall function 00AD08B0: __aulldiv.LIBCMT ref: 00AD0953

Sleep.KERNEL32(000007D0), ref: 00AA9E32
SetFileAttributesA.KERNELBASE(C:\whfkpbh\amdrhfskpcu.exe,00000080), ref: 00AA9E88
CopyFileA.KERNEL32(?,C:\whfkpbh\amdrhfskpcu.exe,00000000), ref: 00AA9EA6
SetFileAttributesA.KERNELBASE(C:\whfkpbh\amdrhfskpcu.exe,00000002), ref: 00AA9EC5

Part of subcall function 00AB0500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00AB0537
Part of subcall function 00AB0500: CreateServiceA.ADVAPI32(00000000,00FA6140,00FA6140,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AB0596
Part of subcall function 00AB0500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00AB0615
Part of subcall function 00AB0500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AB062A

CreateThread.KERNELBASE(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 00AAA26A
Sleep.KERNEL32(0000C350), ref: 00AAA327

Strings

zS, xrefs: 00AA9CD7
wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe", xrefs: 00AAA0E8, 00AAA176
@L, xrefs: 00AA7E24
%Tmd, xrefs: 00AA8421
C:\Windows\system32\config\systemprofile, xrefs: 00AA83D4
}en, xrefs: 00AA9856
C:\whfkpbh\amdrhfskpcu.exe, xrefs: 00AA98CE, 00AA9909, 00AA9E83, 00AA9E90, 00AA9EC0, 00AAA17B

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$BuffChangeCharCloseConfig2CountEnvironmentExitFirstHandleLowerManagerMessageOpenProcessProcess32SnapshotStartStartupSystemThreadTickToolhelp32VariableVersion__aulldiv
String ID: zS$%Tmd$C:\Windows\system32\config\systemprofile$C:\whfkpbh\amdrhfskpcu.exe$wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"$@L$}en
API String ID: 256806839-120791303
Opcode ID: 0e4e7fa3f78ed6af8551f3671c3e6ba46c24bf055c967047af7f8317e16b08fa
Instruction ID: d00e1dda4acd5a8d252fbea25eeb10cd44d7136a6555609e7467f7fd3defdb02
Opcode Fuzzy Hash: 0e4e7fa3f78ed6af8551f3671c3e6ba46c24bf055c967047af7f8317e16b08fa
Instruction Fuzzy Hash: 3B234671A01341DFD714EFA4FDCAAA63BB4FB95300B91851AE0469B2B5EF3448A2CF51

Function 00AB5200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00B2AE70), ref: 00AB52CC
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00AB549F
DeleteFileA.KERNELBASE(?,?,?,?,?,?,00000000), ref: 00AB56FE
RemoveDirectoryA.KERNELBASE(00000000,?,?,?,?,?,00000000), ref: 00AB5743
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00AB583A
CreateDirectoryA.KERNELBASE(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00AB58F3
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB5D71
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB5E82
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00AB6029
CreateDirectoryA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 00AB61FF
GetTempPathA.KERNEL32(00000104,?,?,?,?,?,?,00000000), ref: 00AB63DE
SetFileAttributesA.KERNELBASE(?,00000002,?,?,?,?,?,?,00000000), ref: 00AB655F

Strings

r9:, xrefs: 00AB6085
aE'P, xrefs: 00AB5BDE
\, xrefs: 00AB6092
C:\Windows\system32\config\systemprofile, xrefs: 00AB5B3A, 00AB5C6A
C:\whfkpbh\, xrefs: 00AB5851, 00AB5D90, 00AB61A2, 00AB63F5

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Windows\system32\config\systemprofile$C:\whfkpbh\$\$aE'P$r9:
API String ID: 1691758827-2593203275
Opcode ID: 9d16b08c11de691bf74ab8c7f59d67ca682ab26ae765ac3447971f99799fef47
Instruction ID: 3b8e184bc13656d7bc5fe9f3c9606d5313490f4d846e78a775dd8bfeb70f63b0
Opcode Fuzzy Hash: 9d16b08c11de691bf74ab8c7f59d67ca682ab26ae765ac3447971f99799fef47
Instruction Fuzzy Hash: 32A265B2A01201CFC714EFA4FDCA6E53BB5F794310B40852AE5429B2B5EF3489A7CB55

Function 00AC0D80 Relevance: 25.7, APIs: 11, Strings: 3, Instructions: 1222COMMON

Download Yara Rule

Strings

U][v, xrefs: 00AC1ED5
/, xrefs: 00AC100F
XH, xrefs: 00AC153C

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID:
String ID: XH$/$U][v
API String ID: 0-1996962770
Opcode ID: f43717096ddd2503a80e43aaac33ca7fc179f8d8b7341461509ac886a4ac4f62
Instruction ID: b58546b757833dbe5e3d33750105b5a04d7d8f6b0f1d2027b3e1c8019898b12b
Opcode Fuzzy Hash: f43717096ddd2503a80e43aaac33ca7fc179f8d8b7341461509ac886a4ac4f62
Instruction Fuzzy Hash: 20B22271A01205CFDB14EFA4FDD5AB93BB5FB94310B52812AE4469B2B5EF304962CF81

Function 00ABA930 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 829
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00ABAACC

Strings

#~\, xrefs: 00ABB319

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: HeapProcess
String ID: #~\
API String ID: 54951025-95464956
Opcode ID: 7e19c8e9f2c152d7d4f74bef92bbcd51ba156677a10d62c2a5c65834d6344b94
Instruction ID: 585a46b248048b04e9d38e7469787661900f9699a9e2fc6232f1f5ba96f4cbfd
Opcode Fuzzy Hash: 7e19c8e9f2c152d7d4f74bef92bbcd51ba156677a10d62c2a5c65834d6344b94
Instruction Fuzzy Hash: DF722376A11245CFC714DFA4FCC56E53BB4FBA8311B91851AD846CB2B1EB7088A3CB51

Function 00AC9580 Relevance: 7.7, APIs: 5, Instructions: 220
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E8,00000001), ref: 00AC9679
FindFirstFileA.KERNELBASE(?,?), ref: 00AC97B8
DeleteFileA.KERNELBASE(?), ref: 00AC98A9
FindNextFileA.KERNELBASE(00000000,?), ref: 00AC98CB
FindClose.KERNEL32(00000000), ref: 00AC98E4

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 07a68325cbff889f5618ecd61a1b390d2e13bee328a8949fda580c58ccecc8cb
Instruction ID: f3914fb718fd1826e1cc05b9453be0ef663d3185d7b338ac994b62d0ada474aa
Opcode Fuzzy Hash: 07a68325cbff889f5618ecd61a1b390d2e13bee328a8949fda580c58ccecc8cb
Instruction Fuzzy Hash: 46912475901205DFC714DFB4FD86AE637B5FB98300B81C51AE9469B270EF348A92CB91

Function 00AC22A0 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 598
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AD08B0: GetSystemTimeAsFileTime.KERNEL32(?,?,?,00AC247D), ref: 00AD0929
Part of subcall function 00AD08B0: __aulldiv.LIBCMT ref: 00AD0953

Part of subcall function 00AB1200: Sleep.KERNELBASE(000003E8,?,?,00AC25B4,?,00000708,00000000), ref: 00AB139B

Sleep.KERNELBASE(000008AE), ref: 00AC2C03

Strings

wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe", xrefs: 00AC2CC7
C:\whfkpbh\amdrhfskpcu.exe, xrefs: 00AC2CCC

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: SleepTime$FileSystem__aulldiv
String ID: C:\whfkpbh\amdrhfskpcu.exe$wudcwbel2zfb "c:\whfkpbh\idtpqzltyfy.exe"
API String ID: 3227937447-2559296042
Opcode ID: 7fefd92648917de44ea9f09ca607e6f28e71c85adf75b3c14773bc634e60a049
Instruction ID: 8e2e06dfdc2930b4046078c99d0b9d403ee2bf4b690ca245b52913a1f52a5ebc
Opcode Fuzzy Hash: 7fefd92648917de44ea9f09ca607e6f28e71c85adf75b3c14773bc634e60a049
Instruction Fuzzy Hash: 37421071A01240CFD714DFA4FDD6AAA3BB5FB54310F51852AE402AB2B5EF3099A2CF51

Function 00AB0920 Relevance: 4.8, APIs: 3, Instructions: 254
libraryloaderencryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(75960000,00000000), ref: 00AB0A8A
GetProcAddress.KERNEL32(75960000,00000000), ref: 00AB0B05
CryptGenRandom.ADVAPI32(00000000,00000004,00000000,00000000), ref: 00AB0C10

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: AddressProc$CryptRandom
String ID:
API String ID: 646182245-0
Opcode ID: 4162f2ba2935e40e25d38bd9befd205cf4c35e663d7f58ccbacf9946579b07d0
Instruction ID: b16673ad2b261f056a34a7f1e3e153346e51d0868f51b67590849ef98abb426c
Opcode Fuzzy Hash: 4162f2ba2935e40e25d38bd9befd205cf4c35e663d7f58ccbacf9946579b07d0
Instruction Fuzzy Hash: 86B167B1A01311DFC714EFA5FD85AA63BB8F744710B51812AE046DB2B9EF348862CF85

Function 00AC9B00 Relevance: 2.2, APIs: 1, Instructions: 701
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameA.KERNEL32(?,00000010), ref: 00AC9C49

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9f1a3467ba9cc540d8c04bcf6ac47e55d6d366b3feb3bc2c32de9d49be034ddf
Instruction ID: b18ef66ae1009d44eef04f3c3f47081c32a045067a20a0c159b705b7e60d35f5
Opcode Fuzzy Hash: 9f1a3467ba9cc540d8c04bcf6ac47e55d6d366b3feb3bc2c32de9d49be034ddf
Instruction Fuzzy Hash: 5462BE71910245CFDB14EFA0EE96AEA37B8FB64300F51841AE046AB1B5EF305A96CF51

Function 00AAC660 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherA.ADVAPI32(?), ref: 00AAC692

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID:
API String ID: 3789849863-0
Opcode ID: 9cc534dcfa73bcada382f9b66d1f71b5bee4c9ac8088e147fd92e671a7a34d33
Instruction ID: 628c17a954ba10e922fd05124f33a0c122eb6100a7cb1ce2029ca852c12520b7
Opcode Fuzzy Hash: 9cc534dcfa73bcada382f9b66d1f71b5bee4c9ac8088e147fd92e671a7a34d33
Instruction Fuzzy Hash: 6FE0E571D022489B8744DFA8ED854AEBBF4FB88300B40899AA418AB261EB7855028F85

Function 00AB6C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(00FA6140,Function_00011860), ref: 00AB6D72
SetServiceStatus.SECHOST(00FBB740,00B105F8), ref: 00AB6DD5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AB6DE9
SetServiceStatus.ADVAPI32(00FBB740,00B105F8), ref: 00AB6E8A
WaitForSingleObject.KERNEL32(0000022C,00001388), ref: 00AB6EBE
SetServiceStatus.ADVAPI32(00FBB740,00B105F8), ref: 00AB6F2B
CloseHandle.KERNEL32(0000022C), ref: 00AB6F42
SetServiceStatus.ADVAPI32(00FBB740,00B105F8), ref: 00AB6FAA

Strings

=ZMI, xrefs: 00AB6D10

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: =ZMI
API String ID: 3399922960-150576250
Opcode ID: 1aa00f8837a37e1db0051bc422dbc1c143b7848e44017132de24d1cb2b558b59
Instruction ID: 6b3b04dee047dce54129de9b4f28f753b2bc633ccd369475407d87f71074c1f7
Opcode Fuzzy Hash: 1aa00f8837a37e1db0051bc422dbc1c143b7848e44017132de24d1cb2b558b59
Instruction Fuzzy Hash: C891CA70611392CFC314EFA5FDD95A63BB5F798700B81851AE4568B2B8CF7844A2CF45

Function 00AB2120 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AB21D0
Process32First.KERNEL32(00000000,00000128), ref: 00AB2257
Process32Next.KERNEL32(00000000,00000128), ref: 00AB2384
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00AB2426

Strings

>W=, xrefs: 00AB2370, 00AB237E

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID: >W=
API String ID: 3243318325-2082903562
Opcode ID: 77a5de68d22a58526a925a17186e865e3a3b1d8ed1413c2131c1187a2b22e686
Instruction ID: 07653b86540fa4be25354f526e38c477286bc52ab27ef0ce646e5b92c5514524
Opcode Fuzzy Hash: 77a5de68d22a58526a925a17186e865e3a3b1d8ed1413c2131c1187a2b22e686
Instruction Fuzzy Hash: 2C912F71A11214CBD310DFA5FC89BE63BB8FBA4310F51811AD8429B2B5EF7489A2CF51

Function 00ACFA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,00AC2CD6,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000001), ref: 00ACFBF1
CloseHandle.KERNEL32(00AC2CD6,?,?,?,?,?,00000001), ref: 00ACFC2F
CloseHandle.KERNEL32(?,?,?,?,?,?,00000001), ref: 00ACFC58

Strings

D, xrefs: 00ACFB8F

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: d31ba846d7b7ae4a78ccf8a4aa5a4d79155f4699cd3494d68560116df569977f
Instruction ID: 8227ec508b7e5568a6ad13455006c4b1223c16436e29521ca150bae4bc19ad72
Opcode Fuzzy Hash: d31ba846d7b7ae4a78ccf8a4aa5a4d79155f4699cd3494d68560116df569977f
Instruction Fuzzy Hash: 1A510D31961214DBD704EFA8FC86BB63BF5FB58711F40801AE5069B2B4EF749862CB85

Function 00AC0FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/, xrefs: 00AC100F
XH, xrefs: 00AC153C

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID:
String ID: XH$/
API String ID: 0-571299465
Opcode ID: f7bfff502cac6e3e40c7a6e6e38a57daf1f0ebb9345a08354d101338e2369623
Instruction ID: 30f29d76f5246cf0742cbd736db69312aa76c03980ec3b38e0752e76e2143054
Opcode Fuzzy Hash: f7bfff502cac6e3e40c7a6e6e38a57daf1f0ebb9345a08354d101338e2369623
Instruction Fuzzy Hash: FDF1FF31A01255DFDB14EFA0FD92AFE77B8FB55310F41812AE4465B2A2EF304A56CB60

Function 00AB1D90 Relevance: 4.7, APIs: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC3110: WaitForSingleObject.KERNEL32(00000708,00004E20,?,00AB0A18,00000128,00000000,00000000,?,00AB126B,?,00AC25B4,?,00000708,00000000), ref: 00AC31AD

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,-0000004B,00000009), ref: 00AB1E7B

Part of subcall function 00ACFCC0: ReleaseMutex.KERNEL32(00AB0D8E,?,00AB0D8E,00000128,00000000), ref: 00ACFCE9

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: fe14c0f253715d175b26fa92ce1db87686784acde779151c229f06b5562e17ce
Instruction ID: 042eff90b562d8eece0c7afdfe536ccc2582a912cdcfd15a22f27605dc6346fe
Opcode Fuzzy Hash: fe14c0f253715d175b26fa92ce1db87686784acde779151c229f06b5562e17ce
Instruction Fuzzy Hash: CC712571611244DFC314DFA4FC95AB937B8FB94310F82811AE8069B6B5DF319962CF41

Function 00AAB7A0 Relevance: 4.6, APIs: 3, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AAB82B
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 00AAB87D
FreeSid.ADVAPI32(?), ref: 00AAB8D6

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 16e33e4b138b53248a0750fce703a4aa644865b58ab8db05fae6b1cb0cd570c1
Instruction ID: eda289d4c740e68eedaafce2458f5fd1c99f0e1c4b6ace16a1fec9c7a0c9752b
Opcode Fuzzy Hash: 16e33e4b138b53248a0750fce703a4aa644865b58ab8db05fae6b1cb0cd570c1
Instruction Fuzzy Hash: B231D075912288DFD704DFB4FDD99B97BB8FB58300B81805EE8029B2B0DB705956CB11

Function 00AB2EB0 Relevance: 3.0, APIs: 2, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00000002,?,00AB1BE7,00AC979D,00AC979D,00000000,-00000002,00000000,?,00AC979D,00000002,00000000), ref: 00AB2ED1
RtlFreeHeap.NTDLL(00000000,?,00AB1BE7,00AC979D,00AC979D,00000000,-00000002,00000000,?,00AC979D,00000002,00000000), ref: 00AB2ED8

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5dbbce08eafeb49975d090e12bdddf8e42f0c7bc476ac2bb87b79e45af97f8c9
Instruction ID: 933bc3f3e04d065fc1e51c7ae8433cefba8a213e7f3a07b2edc2c661086b0263
Opcode Fuzzy Hash: 5dbbce08eafeb49975d090e12bdddf8e42f0c7bc476ac2bb87b79e45af97f8c9
Instruction Fuzzy Hash: 54017135554284CBC724CFE4FE955A637F9F7487107408217D11A8F6B1DB3588A6CB15

Function 00AAA4E0 Relevance: 3.0, APIs: 2, Instructions: 33
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00AB2325,00000000,?,00AB2325,?), ref: 00AAA4FE
CharLowerBuffA.USER32(00AB2325,00000000,?,00AB2325,?), ref: 00AAA550

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: BuffCharLowerlstrlen
String ID:
API String ID: 794975171-0
Opcode ID: ee79391650abad4b9c1adb76416c567bf3dfb428d5d0f56f7f753c7df0793d32
Instruction ID: c2464474c55f0755f11a15ff4a8581c0ec47ca9e6c34dc4d28e2c60946e2e272
Opcode Fuzzy Hash: ee79391650abad4b9c1adb76416c567bf3dfb428d5d0f56f7f753c7df0793d32
Instruction Fuzzy Hash: 64F0AF71112210EFD701AFA2FD4D0E637B8FB993613818002E406DB279EF749822DB86

Function 00AAE2C0 Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00AD220A,02167FFC,?,?,?,?,00AC463C), ref: 00AAE2F8
RtlAllocateHeap.NTDLL(00000000,?,00AD220A,02167FFC,?,?,?,?,00AC463C), ref: 00AAE2FF

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 8685df229c130e5bab98cf6eb83dd7d90b66e97bb6f09ad818cfe8df182b390e
Instruction ID: d38b240e5b4aaa0325c31a42f9e95403d1465b7875af6a165d2fbaffe7e27887
Opcode Fuzzy Hash: 8685df229c130e5bab98cf6eb83dd7d90b66e97bb6f09ad818cfe8df182b390e
Instruction Fuzzy Hash: 32E04F76105241AFCB08DBE9EC8DAAA33B8E704305B00401AF60FCB2A1D731A5968B90

Function 00AB0DC0 Relevance: 1.7, APIs: 1, Instructions: 182fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000708,80000000,00000000,00000000,00000003,00000000,00000000,?,?,00000708,00000000), ref: 00AB0F65

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 79c40ac6a45cabb76369edd5894fe884b24963d764c5297f3a3c5c96f4fa0a31
Instruction ID: b69cd6e8547d6bae569bc4818ca6d48afc91ea8601edd98b90b7f929f2c83f2a
Opcode Fuzzy Hash: 79c40ac6a45cabb76369edd5894fe884b24963d764c5297f3a3c5c96f4fa0a31
Instruction Fuzzy Hash: B3714372A11205CFD714EFA8FC95BA637B5F754310F52841AE416CB2B5EB309963CB84

Function 00AC3CF0 Relevance: 1.6, APIs: 1, Instructions: 120fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00AC3E0B

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: aae5aebf5d889420c92e47214f2d7642b91e8d19066b66add481ac80b874f124
Instruction ID: 5d68d8f7527665dee92f45a0555f49b0a9643de128b70479c13bd9bad71c6a46
Opcode Fuzzy Hash: aae5aebf5d889420c92e47214f2d7642b91e8d19066b66add481ac80b874f124
Instruction Fuzzy Hash: 0941F272A11244DBC724EFA0FC82BE13BB5F798710F528519E641DB1B4EF7049A2CB81

Function 00AC45A9 Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00AC4699

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d873a43da5ce66e8fc535dc263128ba0ebf31213460f15ad673d52d71ea4af80
Instruction ID: 65f2dfe8a6dbf29f4b22a802dd6a7286a5307eb23e01da7e6254f5a0d637b71c
Opcode Fuzzy Hash: d873a43da5ce66e8fc535dc263128ba0ebf31213460f15ad673d52d71ea4af80
Instruction Fuzzy Hash: E311E2729112458F9724EFA0FE8A96937B0FB51345341442AE0438B279FF304513CB81

Function 00AB1200 Relevance: 1.4, APIs: 1, Instructions: 165sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000003E8,?,?,00AC25B4,?,00000708,00000000), ref: 00AB139B

Part of subcall function 00AB0920: GetProcAddress.KERNEL32(75960000,00000000), ref: 00AB0A8A
Part of subcall function 00AB0920: GetProcAddress.KERNEL32(75960000,00000000), ref: 00AB0B05

Part of subcall function 00AD5370: CloseHandle.KERNEL32(?,00000000,?,00AB14A0,00000000,00B2AF24,00000004,00000001,00000000,?,?,00AC25B4,?,00000708,00000000), ref: 00AD5398

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: AddressProc$CloseHandleSleep
String ID:
API String ID: 2193747199-0
Opcode ID: 53bb178b20eebbe7fe4b09a727759a38897a7c9719081ef563e4a5c1b26d71e8
Instruction ID: 694b91dea7d5870bfd85bd3e4d64b6668c6d2cf38919d3fbe9ca3ea23d9d3769
Opcode Fuzzy Hash: 53bb178b20eebbe7fe4b09a727759a38897a7c9719081ef563e4a5c1b26d71e8
Instruction Fuzzy Hash: 026156B1A01301DFD310DF60FD95AA63BB8F794750B918418D0429B2B6EF358963CB95

Non-executed Functions

Function 00AB0500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00AB0537
CreateServiceA.ADVAPI32(00000000,00FA6140,00FA6140,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AB0596
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00AB0615
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AB062A
CloseServiceHandle.ADVAPI32(00000000), ref: 00AB06A7
OpenServiceA.ADVAPI32(00000000,00FA6140,00000010), ref: 00AB06EB
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AB072D
CloseServiceHandle.ADVAPI32(00000000), ref: 00AB073E
CloseServiceHandle.ADVAPI32(00000000), ref: 00AB07A8

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: c3cc900e47d022cb071874ae1be2bcd53cf6ae705b17a6e273aa7fbb2c1e5ea5
Instruction ID: fa7677326702d09e21a3c25f07ce73f60f90a04db6c905e28ef74b1ff782dc24
Opcode Fuzzy Hash: c3cc900e47d022cb071874ae1be2bcd53cf6ae705b17a6e273aa7fbb2c1e5ea5
Instruction Fuzzy Hash: A161EC31602650EFD310DFA0FC8ABA63BB4FB84B11F518515E442AB2B5DF7498A3CB46

Function 00AAAF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00AAB0AA
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00AAB15A
GetLastError.KERNEL32 ref: 00AAB17A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00AAB216
CloseServiceHandle.ADVAPI32(00000000), ref: 00AAB41C

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 20aee9dd1958a450f39495ced8117dee894e7debcd91f35e8e5a1c0f8678536b
Instruction ID: b9d30d35df87b63a15e9dd7a105db01ce014f49c910eb50642c1642ff7ccff18
Opcode Fuzzy Hash: 20aee9dd1958a450f39495ced8117dee894e7debcd91f35e8e5a1c0f8678536b
Instruction Fuzzy Hash: CCF188B2911201DFC724DFA4FDC96AA3BB0F799310B51851AD5429B2B5EF3088A3CF95

Function 00AB4380 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AB44A7
Process32First.KERNEL32(00000000,?), ref: 00AB45C2
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00AB47CE
Module32First.KERNEL32(00000000,00000224), ref: 00AB4842
CloseHandle.KERNEL32(00000000,0000000A), ref: 00AB495A
Process32Next.KERNEL32(?,00000128), ref: 00AB49AD
CloseHandle.KERNEL32(00000000), ref: 00AB4A20

Strings

Eln_, xrefs: 00AB48DE, 00AB48ED

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID: Eln_
API String ID: 930127669-3437842203
Opcode ID: 6394efb37d504a65b08afce59edce3aa08d7105651bf38cebd202977a0f9abd9
Instruction ID: 01cbb54bee4b6cf869e725958ab3730d966a8eea3608ab7e188fff4b45950f54
Opcode Fuzzy Hash: 6394efb37d504a65b08afce59edce3aa08d7105651bf38cebd202977a0f9abd9
Instruction Fuzzy Hash: 36F16571A01280CFD714DFA4FDC66A93BB9F788310B41851AD44A8B2B6EF3489A3CF51

Function 00AACA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 00AACB20
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00AACB5D
CloseHandle.KERNEL32(00000000), ref: 00AACBBD
GetTickCount.KERNEL32 ref: 00AACC1D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00AACED4
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00AACF0E
CloseHandle.KERNEL32(00000000), ref: 00AACF47

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 30cbffbea964a026e86cd7869ba99a8c2871cabc80558b25e8aec1ca9e92d891
Instruction ID: 39087c33b74b76ce1d7c3f72f8f0c3de7050004d153fd5d5bfa896e3028e3bf8
Opcode Fuzzy Hash: 30cbffbea964a026e86cd7869ba99a8c2871cabc80558b25e8aec1ca9e92d891
Instruction Fuzzy Hash: 84E132B1A01240DFD304EFA4FD89AB937B4FB95720B51811AE8469B2F4EF304967CB95

Function 00AABBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AABC90
Process32First.KERNEL32(00000000,?), ref: 00AABCE3
OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00AABDDD

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: ea4b2b7e1df0bce408bc209cb326480d5dc80ecf827f06d24c5dd878f8df0147
Instruction ID: f303e8a9a04f4a1e812f1ac28a49a55ec2faed7f09dc9134e38ece49bf234fb9
Opcode Fuzzy Hash: ea4b2b7e1df0bce408bc209cb326480d5dc80ecf827f06d24c5dd878f8df0147
Instruction Fuzzy Hash: 13911175621205CFC724DFA4FCD9AAA37B9FB98310B51811AD4028B2B5DF388996CF50

Function 00AB1530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00AB15C3
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00AB168A
CloseHandle.KERNEL32(00000000), ref: 00AB16A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB1715
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00AB1774
CloseHandle.KERNEL32(00000000), ref: 00AB1792

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 912969119452d91634b8e93d3f46ded5a8801ff13677ec057cbda0b473b09739
Instruction ID: 81e67c041df22d4ec00069ea63050afff373179b509da781e93bbd261becc008
Opcode Fuzzy Hash: 912969119452d91634b8e93d3f46ded5a8801ff13677ec057cbda0b473b09739
Instruction Fuzzy Hash: 01710171A02204DFC710EFA9FCC56B97BB8FB88710B91895AE445972B5EF344866CF44

Function 00AABD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?,?,?,?,?,00000000), ref: 00AABDDD
TerminateProcess.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00AABE24
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 00AABE68
Process32Next.KERNEL32(00000000,00000128), ref: 00AABF01
CloseHandle.KERNEL32(00000000), ref: 00AABF2F

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate
String ID:
API String ID: 3173823348-0
Opcode ID: c6797e3e0ccf75ae68d89c7706b22021a9b03198c692082433be6aa5f1eb4271
Instruction ID: 228ca21b51547f68f71ed7303fab3e40426f13915614143428aa714e12325ed1
Opcode Fuzzy Hash: c6797e3e0ccf75ae68d89c7706b22021a9b03198c692082433be6aa5f1eb4271
Instruction Fuzzy Hash: 4C512075A11205DFC724DFA4FCD9ABA37F9FB98315B11811AE4028B2B5EB348982CF50

Function 00AD5440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD54B2
CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00AD54E4
CloseHandle.KERNEL32(00000000,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD551D
WaitForSingleObject.KERNEL32(?,000000FF,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD5538
CloseHandle.KERNEL32(?,?,000000FF,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD554B

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 407ed96c78aa5172114d202869edf0fa7a4358faaff715771a847ef1bbebc32b
Instruction ID: 6f654c5d8732999bf99500b3527c963bdc026cc2b9aaf85ef2fed62da413334a
Opcode Fuzzy Hash: 407ed96c78aa5172114d202869edf0fa7a4358faaff715771a847ef1bbebc32b
Instruction Fuzzy Hash: A631BB30A01301DBD314DFA4FC89BA27BA5FB88711F51C50AE6569F6B4EB709882CF91

Function 00AB1860 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

SetServiceStatus.ADVAPI32(00FBB740,00B105F8), ref: 00AB19BA

Strings

uRh, xrefs: 00AB18A1

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: ServiceStatus
String ID: uRh
API String ID: 3969395364-64653548
Opcode ID: cb111d0d140985002f5bb1f126d829cbb7bafc20f5166a34f566039f7692faf3
Instruction ID: 9864130e58e3a9788a2f8a2eea48dcf223d1c4f06ee5348845163b0e287c74f3
Opcode Fuzzy Hash: cb111d0d140985002f5bb1f126d829cbb7bafc20f5166a34f566039f7692faf3
Instruction Fuzzy Hash: 0C31BA71620285EFD304DFE4FCA98A13BB9F3A8351385811AE546CB2B4DB3495A6DF11

Function 00AAD000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AAD11A
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00AAD1CC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AAD3EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00AAD2E9

Part of subcall function 00ACFCC0: ReleaseMutex.KERNEL32(00AB0D8E,?,00AB0D8E,00000128,00000000), ref: 00ACFCE9

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseFileHandle$CreateMutexReadRelease
String ID:
API String ID: 1760212717-0
Opcode ID: c6f49eab681c6e67f6aa7be62c687598ebfc604e0ca1337be803a019027709eb
Instruction ID: 78078e2f58fd147cd1e52a7ad78edf1e46b113a718332d7462acacda160d2adc
Opcode Fuzzy Hash: c6f49eab681c6e67f6aa7be62c687598ebfc604e0ca1337be803a019027709eb
Instruction Fuzzy Hash: 50B156B2A11600DBC714EFA4FCC96A937B5FB94301F128456E1469B2F5EF3049A6CB41

Function 00AB68D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00AB03A9,00000000,?), ref: 00AB6957
RtlReAllocateHeap.NTDLL(00000000,?,00AB03A9,00000000), ref: 00AB695E
GetProcessHeap.KERNEL32(00000000,?,?,00AB03A9,00000000,?), ref: 00AB69C8
HeapAlloc.KERNEL32(00000000,?,00AB03A9,00000000,?), ref: 00AB69CF

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: eeb0b182394d46f6f07ae004e574f1753b4bf47a68331090d8a4ff415b3e4157
Instruction ID: bcfb9d685a85ccf5dfccce8e2c22894655d74ca8990e8256cec42d2d9e20973d
Opcode Fuzzy Hash: eeb0b182394d46f6f07ae004e574f1753b4bf47a68331090d8a4ff415b3e4157
Instruction Fuzzy Hash: 4C21AC71642204DFD709EFA1FEC95A03F78F790310BA28415D586976B8EF3198A2CF50

Function 00AD50E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(00AC247D,00000001,?,?,00AC247D), ref: 00AD518C
GetTickCount.KERNEL32 ref: 00AD52BE

Strings

@AB , xrefs: 00AD52CD

Memory Dump Source

Source File: 00000009.00000002.2052832106.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 00000009.00000002.2052817442.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052858898.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B10000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B13000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B17000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052875964.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.2052975723.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @AB
API String ID: 2164215191-841575833
Opcode ID: 24a2a738b4c22cae69aa1b3a11c056efbf02e692ec5a609cf127a3f868102ed8
Instruction ID: 464ca0ebe48867a0cc7bfe25d646bc6206bcb08b02c0b97174d0cac2a48faeb1
Opcode Fuzzy Hash: 24a2a738b4c22cae69aa1b3a11c056efbf02e692ec5a609cf127a3f868102ed8
Instruction Fuzzy Hash: 3D51EE72A01690CFC318EFF9FDC95653BB1F7A43403458556E48A8B2B4EF749862CB85

Analysis Process: amdrhfskpcu.exePID: 7668, Parent PID: 7336COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1705
Total number of Limit Nodes:	16

Executed Functions

Function 00837A04 Relevance: 60.1, APIs: 28, Strings: 5, Instructions: 2326sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 008383DA
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00838448
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 008384DC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 008384F7
GetTickCount.KERNEL32 ref: 00838599

Part of subcall function 00845200: GetVersionExA.KERNEL32(008BAE70), ref: 008452CC

Sleep.KERNEL32(00000D05), ref: 00838B70
Sleep.KERNELBASE(000007D0), ref: 00838DAC
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00838E86
SetFileAttributesA.KERNEL32(?,00000080), ref: 00838E9F
CopyFileA.KERNEL32(?,?,00000000), ref: 00838EC3
SetFileAttributesA.KERNEL32(?,00000002), ref: 0083912B
SetFileAttributesA.KERNEL32(?,00000080), ref: 00839186
GetCommandLineA.KERNEL32 ref: 00839265
GetModuleFileNameA.KERNEL32(00000000,?), ref: 00839370

Part of subcall function 0083A4E0: lstrlen.KERNEL32(?), ref: 0083A4FE

Part of subcall function 0083D500: lstrlen.KERNEL32(?,?,0083D630,?), ref: 0083D523

MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 008396D4
CloseHandle.KERNEL32(00000000), ref: 00839AC8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00839AEC
CopyFileA.KERNEL32(?,?,00000000), ref: 00839B0C
SetFileAttributesA.KERNEL32(?,00000002), ref: 00839B3B
Sleep.KERNEL32(000003E8), ref: 00839C52
Sleep.KERNELBASE(000003E8), ref: 00838CB2

Part of subcall function 0083BBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0083BC90
Part of subcall function 0083BBC0: Process32First.KERNEL32(00000000,?), ref: 0083BCE3

GetCommandLineA.KERNEL32 ref: 008386AE

Part of subcall function 00832800: ExitProcess.KERNEL32 ref: 00832842

Part of subcall function 008608B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00860929
Part of subcall function 008608B0: __aulldiv.LIBCMT ref: 00860953

Sleep.KERNEL32(000007D0), ref: 00839E32
SetFileAttributesA.KERNEL32(0087D800,00000080), ref: 00839E88
CopyFileA.KERNEL32(?,0087D800,00000000), ref: 00839EA6
SetFileAttributesA.KERNEL32(0087D800,00000002), ref: 00839EC5

Part of subcall function 00840500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00840537
Part of subcall function 00840500: CreateServiceA.ADVAPI32(00000000,0130E680,0130E680,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00840596
Part of subcall function 00840500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00840615
Part of subcall function 00840500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0084062A

CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 0083A26A
Sleep.KERNEL32(0000C350), ref: 0083A327

Strings

%Tmd, xrefs: 00838421
@L, xrefs: 00837E24
}en, xrefs: 00839856
C:\Windows\system32\config\systemprofile, xrefs: 008383D4
zS, xrefs: 00839CD7

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartSystemThreadTickToolhelp32VariableVersion__aulldiv
String ID: zS$%Tmd$C:\Windows\system32\config\systemprofile$@L$}en
API String ID: 2964372999-1718768463
Opcode ID: 964797e728652a2b2a03736d05a732fc988bd514aae53fb0667f6aa74a24bc08
Instruction ID: f61434a9fa10dffd401862368cd5c4f281ead3da85a4fdf794038099fa46ca15
Opcode Fuzzy Hash: 964797e728652a2b2a03736d05a732fc988bd514aae53fb0667f6aa74a24bc08
Instruction Fuzzy Hash: 44233571A00701DFE704EF28FC8E6653BB4FB95311F114519E58AD6AB9EB7088A0CF96

Function 00845200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(008BAE70), ref: 008452CC
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 0084549F
DeleteFileA.KERNELBASE(?), ref: 008456FE
RemoveDirectoryA.KERNELBASE(00000000), ref: 00845743
CreateDirectoryA.KERNELBASE(?,00000000), ref: 0084583A
CreateDirectoryA.KERNELBASE(?,00000000), ref: 008458F3
CreateDirectoryA.KERNEL32(?,00000000), ref: 00845D71
CreateDirectoryA.KERNEL32(?,00000000), ref: 00845E82
GetTempPathA.KERNEL32(00000104,?), ref: 00846029
CreateDirectoryA.KERNEL32(?,00000000), ref: 008461FF
GetTempPathA.KERNEL32(00000104,?), ref: 008463DE
SetFileAttributesA.KERNELBASE(?,00000002), ref: 0084655F

Strings

\, xrefs: 00846092
aE'P, xrefs: 00845BDE
C:\Windows\system32\config\systemprofile, xrefs: 00845B3A, 00845C6A
r9:, xrefs: 00846085
C:\whfkpbh\, xrefs: 00845851, 00845D90, 008461A2, 008463F5

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Windows\system32\config\systemprofile$C:\whfkpbh\$\$aE'P$r9:
API String ID: 1691758827-2593203275
Opcode ID: cef4c251fb4f886c8424073dcad0968493924f5a9a4b2ac9f8691790f707d134
Instruction ID: 86d93a02275ea10cfeb6c9f803c27f39d8d93d6d4e75c648bb5e750f8df045c4
Opcode Fuzzy Hash: cef4c251fb4f886c8424073dcad0968493924f5a9a4b2ac9f8691790f707d134
Instruction Fuzzy Hash: 8EA279B2A00705CFE704DF28FC8A6653BB0F795310B058529E546D6AB9FB7488E4CF96

Function 0083BBC0 Relevance: 10.7, APIs: 7, Instructions: 205
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0083BC90
Process32First.KERNEL32(00000000,?), ref: 0083BCE3
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0083BDDD

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 370694de37915f0443f7d17b0dab8b378e9b4e88f6870d8941ec72b3a333acf9
Instruction ID: 107e19c7f584190839497b203a1f8de3b5b420ca4c22fb1223d2b2d9d808a7ee
Opcode Fuzzy Hash: 370694de37915f0443f7d17b0dab8b378e9b4e88f6870d8941ec72b3a333acf9
Instruction Fuzzy Hash: F59130B6A00701CFD714DF28FC99A6A3BB9FB98310F05421AE505C7678EB749994CF81

Function 00841530 Relevance: 9.2, APIs: 6, Instructions: 176
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 008415C3
GetFileTime.KERNEL32(00000000,?,?,?), ref: 0084168A
CloseHandle.KERNEL32(00000000), ref: 008416A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00841715
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00841774
CloseHandle.KERNEL32(00000000), ref: 00841792

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: f2e0ddb3c809990a0932acf09edbcb09665b7778d100fce7e8c93a8e189ea8b0
Instruction ID: 8b1734fc433fbb0533eec4d4bac78abc14f3acf3d0bdcbe8cb598206cf83f7d7
Opcode Fuzzy Hash: f2e0ddb3c809990a0932acf09edbcb09665b7778d100fce7e8c93a8e189ea8b0
Instruction Fuzzy Hash: F9712271A01308DFEB00DF59FC896757BB4FB8A310F12461AE549D2AB8E77584A4CF45

Function 0083BD08 Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0083BDDD
TerminateProcess.KERNELBASE(00000000,000000FF), ref: 0083BE24
CloseHandle.KERNEL32(00000000), ref: 0083BE68
Process32Next.KERNEL32(00000000,00000128), ref: 0083BF01
CloseHandle.KERNEL32(00000000), ref: 0083BF2F

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate
String ID:
API String ID: 3173823348-0
Opcode ID: 34731e22ddbe39f0e8fcf597284e5bd676569c365c698b6fe3068608932e1a94
Instruction ID: 27014a5738ce5eaef20e4c4a27d94b899a5f40b04c481ff262d47f8ab7b5d08c
Opcode Fuzzy Hash: 34731e22ddbe39f0e8fcf597284e5bd676569c365c698b6fe3068608932e1a94
Instruction Fuzzy Hash: C9512F75A01301CFD704DF28FC99AA63BB5FB88315F05821AE509C7268EB7499D0CF81

Function 0085FA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,0084ED48,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 0085FBF1
CloseHandle.KERNEL32(0084ED48,?,?,?,?,?,00000000), ref: 0085FC2F
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 0085FC58

Strings

D, xrefs: 0085FB8F

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: 07483c6b663a7d8eb94e6dcc011bfa0f0fb1c49a15781953e3bea9a89639d005
Instruction ID: c7a45252e51f3e42840665e9c83422c274afa88ebdaf0d4204ff14867ffce948
Opcode Fuzzy Hash: 07483c6b663a7d8eb94e6dcc011bfa0f0fb1c49a15781953e3bea9a89639d005
Instruction Fuzzy Hash: 2F510271951214DBE704DF68FC8A7B63BF4F749701F04002AE54AD7AB8EBB494A4CB46

Function 00842120 Relevance: 6.2, APIs: 4, Instructions: 207
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008421D0
Process32First.KERNEL32(00000000,00000128), ref: 00842257
Process32Next.KERNEL32(00000000,00000128), ref: 00842384
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00842426

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID:
API String ID: 3243318325-0
Opcode ID: 778257feb1d74fa5a0ee2dd92c90ec3bb05c87cbee17293844c70975e5e6ac46
Instruction ID: 7b432ebb6fd8c82ee3a2fc6092244f70f2b0cc260e38d25643cdab91b0584cbc
Opcode Fuzzy Hash: 778257feb1d74fa5a0ee2dd92c90ec3bb05c87cbee17293844c70975e5e6ac46
Instruction Fuzzy Hash: 45914171A05718CFE704EF25FC886A53BB4FBA5310F45411AD846D2A79EBB4C4A0CF6A

Function 00841D90 Relevance: 4.7, APIs: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00853110: WaitForSingleObject.KERNEL32(?,00004E20,?,0083D0F2,00000124), ref: 008531AD

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00841E7B

Part of subcall function 0085FCC0: ReleaseMutex.KERNEL32(0083D410,?,0083D410,00000124), ref: 0085FCE9

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: 746d30093f61757068802e78b65262e19990bb9f0fa096d97c0e2b7b7b27d2bd
Instruction ID: fb28aa0157807ad3e428fbc69658475316fd56b37b2f62392755ea94b55c96fa
Opcode Fuzzy Hash: 746d30093f61757068802e78b65262e19990bb9f0fa096d97c0e2b7b7b27d2bd
Instruction Fuzzy Hash: 1D71DD72610604CFD704DF28FC8EA297BB4FB95305F028215E90997AB9EB70D8A4CF81

Function 0083B7A0 Relevance: 3.1, APIs: 2, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 0083B82B
CheckTokenMembership.KERNELBASE(00000000,?,?), ref: 0083B87D

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: 8b84a374a7469e8908af899e2b9e96f1b127819c0903c2600c9d617a11388493
Instruction ID: cbcaf854623d5adf0abe573bf04525b04baac7e84ac337f75cea025da747cb87
Opcode Fuzzy Hash: 8b84a374a7469e8908af899e2b9e96f1b127819c0903c2600c9d617a11388493
Instruction Fuzzy Hash: E4311074901348EFEB04CFB4ED999BA7FB8FB9A300B01815EE40297275D7709994DB51

Function 00842EB0 Relevance: 3.0, APIs: 2, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00840367,?,00840367,00000000), ref: 00842ED1
RtlFreeHeap.NTDLL(00000000,?,00840367,00000000), ref: 00842ED8

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: a9bd257d05bd92441cd81a0a8e60d6354b1cc43da1dacd13a7d8bb39a8780f91
Instruction ID: 44e77190365a30812746e84a1edd9f0f604da40d1d9288e473efaa94a23073b0
Opcode Fuzzy Hash: a9bd257d05bd92441cd81a0a8e60d6354b1cc43da1dacd13a7d8bb39a8780f91
Instruction Fuzzy Hash: 0A01DF35608648CBC724DF68FE5A4263BF9F7447207915316E00E8B2B6CB30D8DACB15

Function 0083E2C0 Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,0086220A,02167FFC,?,?,?,?,0085463C), ref: 0083E2F8
RtlAllocateHeap.NTDLL(00000000,?,0086220A,02167FFC,?,?,?,?,0085463C), ref: 0083E2FF

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 34df881b0e4c6ef5df1fdd29e0d28371c02bae3491b1fac0cc077760de295ed4
Instruction ID: 3ffb06bae795c195f3b7256faffbfbda82e6f4bac2523834c9a3a7d5e3c4ff66
Opcode Fuzzy Hash: 34df881b0e4c6ef5df1fdd29e0d28371c02bae3491b1fac0cc077760de295ed4
Instruction Fuzzy Hash: D9E046B6104200AFC708CBA9FC8DA5633A8FB04309B006118F60EC626AC671E5C18BA2

Function 008545A9 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00854699

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ef27629173bc43baba8478a1c387dc2bd8674551b26ed7f51f6f3f5aabbb8571
Instruction ID: 0c1b734ab4040e62748600a919674169b0e723232764e7331363de1a73f7d976
Opcode Fuzzy Hash: ef27629173bc43baba8478a1c387dc2bd8674551b26ed7f51f6f3f5aabbb8571
Instruction Fuzzy Hash: D3112B725119118BE714AF38FE8E82537F0F76230A3051426E547C667EFB74C455DB82

Function 00832800 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00832842

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: afe5ec0e4f75bddbb3c258d47fba6bf3db04c1f14bb3858d42772b2a6ceb2d97
Instruction ID: 3e12307955723892e174ac90eb44af47a9a06d664fcbdcbc1da44a7cbeffa861
Opcode Fuzzy Hash: afe5ec0e4f75bddbb3c258d47fba6bf3db04c1f14bb3858d42772b2a6ceb2d97
Instruction Fuzzy Hash: B4E08C3C0003098BC758EF28D8DA8763BA6FB85305755D12BD9664B661CA74E88ADF86

Function 0083A4E0 Relevance: 1.3, APIs: 1, Instructions: 33
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 0083A4FE

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: 2ce6744e832ffca676f8b7c8eb088630943e802baae255c2a6f7dac13585360a
Instruction ID: 8de445a4169e146e4c56925121f489bc02d39eb960f585aad97a484793297e0f
Opcode Fuzzy Hash: 2ce6744e832ffca676f8b7c8eb088630943e802baae255c2a6f7dac13585360a
Instruction Fuzzy Hash: 48F0F671111220EFE7065F61FD0D0663BB8FB8E3613410052E549D6939E7788861DF8F

Non-executed Functions

Function 00840500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00840537
CreateServiceA.ADVAPI32(00000000,0130E680,0130E680,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00840596
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00840615
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0084062A
CloseServiceHandle.ADVAPI32(00000000), ref: 008406A7
OpenServiceA.ADVAPI32(00000000,0130E680,00000010), ref: 008406EB
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 0084072D
CloseServiceHandle.ADVAPI32(00000000), ref: 0084073E
CloseServiceHandle.ADVAPI32(00000000), ref: 008407A8

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: f9eecca4326aba56ddffeaaf80e772d29a902b13a2107a738d070b7a58ef906a
Instruction ID: 62146a69c336aea5708794a457b4c39df6cf82dc8ba0b7fc439f49d6ba1f8687
Opcode Fuzzy Hash: f9eecca4326aba56ddffeaaf80e772d29a902b13a2107a738d070b7a58ef906a
Instruction Fuzzy Hash: B6612271A01314EFE3059F24FC8AB263FB4FB95B11F154605E646E66B8E77094A0CF46

Function 0083AF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 0083B0AA
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 0083B15A
GetLastError.KERNEL32 ref: 0083B17A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 0083B216
CloseServiceHandle.ADVAPI32(00000000), ref: 0083B41C

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: 936088513ecb3ef039868086c2f377b8b94de0ebd9d05aa8490cd55bab8ec575
Instruction ID: 41969bfeb7417c7794de3c0e83312aa09ba4161ff5df2f19254ff1fc5b87e40c
Opcode Fuzzy Hash: 936088513ecb3ef039868086c2f377b8b94de0ebd9d05aa8490cd55bab8ec575
Instruction Fuzzy Hash: 5EF145B2A01601DFD718DF68FC8966A3BB0FB84310F114219D64AD76B9E774D8A1CB86

Function 00859580 Relevance: 7.7, APIs: 5, Instructions: 220filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00000001), ref: 00859679
FindFirstFileA.KERNEL32(?,?), ref: 008597B8
DeleteFileA.KERNEL32(?), ref: 008598A9
FindNextFileA.KERNEL32(00000000,?), ref: 008598CB
FindClose.KERNEL32(00000000), ref: 008598E4

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID:
API String ID: 1528862845-0
Opcode ID: 6097b066a658aef56f99312bcade2b7c5b5c93b4a74a582f55762458b0efcec3
Instruction ID: 6d37877d3920ae623fdacbba631635ee1a121b72257d4d8212190952cc6f3a8f
Opcode Fuzzy Hash: 6097b066a658aef56f99312bcade2b7c5b5c93b4a74a582f55762458b0efcec3
Instruction Fuzzy Hash: B7914675901311CFDB04CF64FC8A5A53BB0FB9A301B41862AE98AD7A74FB748990CF52

Function 00846C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187registrysynchronizationCOMMON

Download Yara Rule

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(0130E680,Function_00011860), ref: 00846D72
SetServiceStatus.ADVAPI32(00000000,008A05F8), ref: 00846DD5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00846DE9
SetServiceStatus.ADVAPI32(00000000,008A05F8), ref: 00846E8A
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00846EBE
SetServiceStatus.ADVAPI32(00000000,008A05F8), ref: 00846F2B
CloseHandle.KERNEL32(00000000), ref: 00846F42
SetServiceStatus.ADVAPI32(00000000,008A05F8), ref: 00846FAA

Strings

=ZMI, xrefs: 00846D10

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: =ZMI
API String ID: 3399922960-150576250
Opcode ID: ce0f1c8053ade8ed49c7939844cbfe8dd527c93d10c16d947cb39593766d18e9
Instruction ID: 8e5da2af588b0a641bb589382f2bee1fb397f7eda060518e662a9d64f43b3657
Opcode Fuzzy Hash: ce0f1c8053ade8ed49c7939844cbfe8dd527c93d10c16d947cb39593766d18e9
Instruction Fuzzy Hash: 6D91EE70901702CFE308CF28FD8D5253FB4FB9A310715821AE59AD2AB8E77884A5CF46

Function 00844380 Relevance: 10.9, APIs: 7, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 008444A7
Process32First.KERNEL32(00000000,?), ref: 008445C2
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 008447CE
Module32First.KERNEL32(00000000,00000224), ref: 00844842
CloseHandle.KERNEL32(00000000,0000000A), ref: 0084495A
Process32Next.KERNEL32(?,00000128), ref: 008449AD
CloseHandle.KERNEL32(00000000), ref: 00844A20

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID:
API String ID: 930127669-0
Opcode ID: 14238da84e2f1eeea6ec9ed23ac7d87815e2c6156525966cf2497302d8613d62
Instruction ID: 0fadf612b073227c9b04352105cbecc85edfba1a16a5e1a7423c02b6b125c902
Opcode Fuzzy Hash: 14238da84e2f1eeea6ec9ed23ac7d87815e2c6156525966cf2497302d8613d62
Instruction Fuzzy Hash: 5CF16371A01604CFE714DF28FC8E6653BB5F789310B01522AD48AD76B9EB7488E1CF52

Function 0083CA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 0083CB20
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 0083CB5D
CloseHandle.KERNEL32(00000000), ref: 0083CBBD
GetTickCount.KERNEL32 ref: 0083CC1D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 0083CED4
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 0083CF0E
CloseHandle.KERNEL32(00000000), ref: 0083CF47

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 390cf9a702bf687dba73ca437fa2bfaa1d2f4bdff6cf921aa5920cd55a458f89
Instruction ID: 66b92c6964db088fe0bdd88ff14453908928c7a613dc69cc7f331b7e37c7f30b
Opcode Fuzzy Hash: 390cf9a702bf687dba73ca437fa2bfaa1d2f4bdff6cf921aa5920cd55a458f89
Instruction Fuzzy Hash: 01E16771A00710DFE304EF28FC9DA693BB4FB91710F11411AE54AD76B9EB7089A1CB96

Function 00865440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,0084E92E,0084CA40,00000000,?), ref: 008654B2
CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 008654E4
CloseHandle.KERNEL32(00000000,?,0084E92E,0084CA40,00000000,?), ref: 0086551D
WaitForSingleObject.KERNEL32(?,000000FF,?,0084E92E,0084CA40,00000000,?), ref: 00865538
CloseHandle.KERNEL32(?,?,000000FF,?,0084E92E,0084CA40,00000000,?), ref: 0086554B

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: ba26cc604052ce0edcd59d174e3ad2f77c5ffb62b5d87d8f2a1bdd0fca803c46
Instruction ID: c6af7a6ebf04b5b3ab9e19ed2660100869f182870b02ce98f8230df30b203493
Opcode Fuzzy Hash: ba26cc604052ce0edcd59d174e3ad2f77c5ffb62b5d87d8f2a1bdd0fca803c46
Instruction Fuzzy Hash: 7F318D30601701DFE3189F64EC89B227BF4FB49711F11851AE68A9BAB8E7B494D0CF95

Function 0083D000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0083D11A
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 0083D1CC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 0083D3EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 0083D2E9

Part of subcall function 0085FCC0: ReleaseMutex.KERNEL32(0083D410,?,0083D410,00000124), ref: 0085FCE9

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CloseFileHandle$CreateMutexReadRelease
String ID:
API String ID: 1760212717-0
Opcode ID: eab360df95d98f61ead6d4483120c528ff6b0cc6d162c15b04260103c076bc4a
Instruction ID: c45030dd2600ae0033342902b77d1815078c9ccd6e0b987da6ab1a052d704e93
Opcode Fuzzy Hash: eab360df95d98f61ead6d4483120c528ff6b0cc6d162c15b04260103c076bc4a
Instruction Fuzzy Hash: BAB16872600B04DBE704AF28FC8A7693BB5FBC4311F154056E549D76F9EB7089A4CB82

Function 008468D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,008403A9,00000000,?), ref: 00846957
RtlReAllocateHeap.NTDLL(00000000,?,008403A9,00000000), ref: 0084695E
GetProcessHeap.KERNEL32(00000000,?,?,008403A9,00000000,?), ref: 008469C8
HeapAlloc.KERNEL32(00000000,?,008403A9,00000000,?), ref: 008469CF

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: 4c5eb2216e6f825a58b03adfe9a81f57c95ffa32c10a4513a7de7a9c339307ad
Instruction ID: 611358548bf7ab12515943c170dd54db632f8a80c3521dc5804100e8d0a40a18
Opcode Fuzzy Hash: 4c5eb2216e6f825a58b03adfe9a81f57c95ffa32c10a4513a7de7a9c339307ad
Instruction Fuzzy Hash: 4E213372600704DFE7059F64FE8EA503F38FB82314B624515E54AA3AB9EB3198B0CF59

Function 00850FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

/, xrefs: 0085100F
XH, xrefs: 0085153C

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID:
String ID: XH$/
API String ID: 0-571299465
Opcode ID: e1c103b641971ac7d6e9fe46e831c4b7af2dfb69b3955c163c06d6463b81f471
Instruction ID: b807bbc159f00c19d00731bde040a61665338f1f823a0d281ae16e10eea224a9
Opcode Fuzzy Hash: e1c103b641971ac7d6e9fe46e831c4b7af2dfb69b3955c163c06d6463b81f471
Instruction Fuzzy Hash: 0BF12631900215CFEB14EF68FC9A6BE7BB8FB55310F014129E44A976B5EB708994CF52

Function 008650E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(0085247D,00000001,?,?,0085247D), ref: 0086518C
GetTickCount.KERNEL32 ref: 008652BE

Strings

@AB , xrefs: 008652CD

Memory Dump Source

Source File: 0000000A.00000002.2071263631.0000000000831000.00000020.00000001.01000000.00000008.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000A.00000002.2071230853.0000000000830000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071306166.0000000000867000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.000000000086C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008A9000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071329164.00000000008BA000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2071413580.00000000008BB000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_830000_amdrhfskpcu.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @AB
API String ID: 2164215191-841575833
Opcode ID: 36b31bde31af312107e64400499b3fa4a08cde17a63259b30cd6acc930bcc129
Instruction ID: bc9ce606d0c150c4bbab96090a7611ab6d5515bfa7664d62287c20368f52d967
Opcode Fuzzy Hash: 36b31bde31af312107e64400499b3fa4a08cde17a63259b30cd6acc930bcc129
Instruction Fuzzy Hash: C351BD72A00A15CFD708DF69FD8E5293BB1F7A53107160216D48AC72B8EB74D8A4CB86

Analysis Process: idtpqzltyfy.exePID: 1476, Parent PID: 8076COMMON

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1704
Total number of Limit Nodes:	12

Executed Functions

Function 00AA7A04 Relevance: 65.3, APIs: 28, Strings: 8, Instructions: 2326sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Users\user,00000104), ref: 00AA83DA
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00AA8448
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00AA84DC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00AA84F7
GetTickCount.KERNEL32 ref: 00AA8599

Part of subcall function 00AB5200: GetVersionExA.KERNEL32(00B2AE70), ref: 00AB52CC

Sleep.KERNEL32(00000D05), ref: 00AA8B70
Sleep.KERNEL32(000007D0), ref: 00AA8DAC
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 00AA8E86
SetFileAttributesA.KERNEL32(?,00000080), ref: 00AA8E9F
CopyFileA.KERNEL32(?,?,00000000), ref: 00AA8EC3
SetFileAttributesA.KERNEL32(?,00000002), ref: 00AA912B
SetFileAttributesA.KERNEL32(?,00000080), ref: 00AA9186
GetCommandLineA.KERNEL32 ref: 00AA9265
GetModuleFileNameA.KERNELBASE(00000000,?), ref: 00AA9370

Part of subcall function 00AAA4E0: lstrlen.KERNEL32(?), ref: 00AAA4FE

Part of subcall function 00AAD500: lstrlen.KERNEL32(?,?,00AAD630,?), ref: 00AAD523

MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 00AA96D4
CloseHandle.KERNEL32(FFFFFFFF), ref: 00AA9AC8
SetFileAttributesA.KERNEL32(?,00000080), ref: 00AA9AEC
CopyFileA.KERNEL32(?,?,00000000), ref: 00AA9B0C
SetFileAttributesA.KERNEL32(?,00000002), ref: 00AA9B3B
Sleep.KERNEL32(000003E8), ref: 00AA9C52
Sleep.KERNEL32(000003E8), ref: 00AA8CB2

Part of subcall function 00AABBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AABC90
Part of subcall function 00AABBC0: Process32First.KERNEL32(00000000,?), ref: 00AABCE3

GetCommandLineA.KERNEL32 ref: 00AA86AE

Part of subcall function 00AA2800: ExitProcess.KERNEL32 ref: 00AA2842

Part of subcall function 00AD08B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00AD0929
Part of subcall function 00AD08B0: __aulldiv.LIBCMT ref: 00AD0953

Sleep.KERNEL32(000007D0), ref: 00AA9E32
SetFileAttributesA.KERNEL32(00AED800,00000080), ref: 00AA9E88
CopyFileA.KERNEL32(?,00AED800,00000000), ref: 00AA9EA6
SetFileAttributesA.KERNEL32(00AED800,00000002), ref: 00AA9EC5

Part of subcall function 00AB0500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00AB0537
Part of subcall function 00AB0500: CreateServiceA.ADVAPI32(00000000,005F4CA8,005F4CA8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AB0596
Part of subcall function 00AB0500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00AB0615
Part of subcall function 00AB0500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AB062A

CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 00AAA26A
Sleep.KERNEL32(0000C350), ref: 00AAA327

Strings

h/_, xrefs: 00AA852F, 00AA8536
%Tmd, xrefs: 00AA8421
xI_, xrefs: 00AA93E1
L_, xrefs: 00AA9902, 00AA9DD0, 00AA9E00
@L, xrefs: 00AA7E24
C:\Users\user, xrefs: 00AA83D4
}en, xrefs: 00AA9856
zS, xrefs: 00AA9CD7

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartSystemThreadTickToolhelp32VariableVersion__aulldiv
String ID: zS$%Tmd$C:\Users\user$h/_$xI_$@L$L_$}en
API String ID: 2964372999-1451281979
Opcode ID: bde7e12e792fac230771e5bdc86d85a2f9c46aec520d7ab91c671d1f9a8dfd61
Instruction ID: d00e1dda4acd5a8d252fbea25eeb10cd44d7136a6555609e7467f7fd3defdb02
Opcode Fuzzy Hash: bde7e12e792fac230771e5bdc86d85a2f9c46aec520d7ab91c671d1f9a8dfd61
Instruction Fuzzy Hash: 3B234671A01341DFD714EFA4FDCAAA63BB4FB95300B91851AE0469B2B5EF3448A2CF51

Function 00AB5200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExA.KERNEL32(00B2AE70), ref: 00AB52CC
CreateDirectoryA.KERNELBASE(0000005C,00000000), ref: 00AB549F
DeleteFileA.KERNELBASE(?), ref: 00AB56FE
RemoveDirectoryA.KERNELBASE(00000000), ref: 00AB5743
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00AB583A
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00AB58F3
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB5D71
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB5E82
GetTempPathA.KERNEL32(00000104,?), ref: 00AB6029
CreateDirectoryA.KERNEL32(?,00000000), ref: 00AB61FF
GetTempPathA.KERNEL32(00000104,?), ref: 00AB63DE
SetFileAttributesA.KERNELBASE(?,00000002), ref: 00AB655F

Strings

C:\whfkpbh\, xrefs: 00AB5851, 00AB5D90, 00AB61A2, 00AB63F5
aE'P, xrefs: 00AB5BDE
r9:, xrefs: 00AB6085
\, xrefs: 00AB6092
C:\Users\user, xrefs: 00AB5B3A, 00AB5C6A

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Directory$Create$FilePathTemp$AttributesDeleteRemoveVersion
String ID: C:\Users\user$C:\whfkpbh\$\$aE'P$r9:
API String ID: 1691758827-3642148351
Opcode ID: c838130182bcd7c02ed6004413af91e3d437b789f6fa760c96ef43f4260dcefc
Instruction ID: 3b8e184bc13656d7bc5fe9f3c9606d5313490f4d846e78a775dd8bfeb70f63b0
Opcode Fuzzy Hash: c838130182bcd7c02ed6004413af91e3d437b789f6fa760c96ef43f4260dcefc
Instruction Fuzzy Hash: 32A265B2A01201CFC714EFA4FDCA6E53BB5F794310B40852AE5429B2B5EF3489A7CB55

Function 00AB1D90 Relevance: 4.7, APIs: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00AC3110: WaitForSingleObject.KERNEL32(?,00004E20,?,00AAD0F2,00000108), ref: 00AC31AD

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00AB1E7B

Part of subcall function 00ACFCC0: ReleaseMutex.KERNEL32(00AAD410,?,00AAD410,00000108), ref: 00ACFCE9

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: 93067f56d8bb569090c17183a8b9742d8446ce9fbb51ac0c6438e3d2bdae7281
Instruction ID: 042eff90b562d8eece0c7afdfe536ccc2582a912cdcfd15a22f27605dc6346fe
Opcode Fuzzy Hash: 93067f56d8bb569090c17183a8b9742d8446ce9fbb51ac0c6438e3d2bdae7281
Instruction Fuzzy Hash: CC712571611244DFC314DFA4FC95AB937B8FB94310F82811AE8069B6B5DF319962CF41

Function 00AAB7A0 Relevance: 3.1, APIs: 2, Instructions: 89
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00AAB82B
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AAB87D

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: AllocateCheckInitializeMembershipToken
String ID:
API String ID: 1663163955-0
Opcode ID: 16e33e4b138b53248a0750fce703a4aa644865b58ab8db05fae6b1cb0cd570c1
Instruction ID: eda289d4c740e68eedaafce2458f5fd1c99f0e1c4b6ace16a1fec9c7a0c9752b
Opcode Fuzzy Hash: 16e33e4b138b53248a0750fce703a4aa644865b58ab8db05fae6b1cb0cd570c1
Instruction Fuzzy Hash: B231D075912288DFD704DFB4FDD99B97BB8FB58300B81805EE8029B2B0DB705956CB11

Function 00AB2EB0 Relevance: 3.0, APIs: 2, Instructions: 40
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,00AB0367,?,00AB0367,00000000), ref: 00AB2ED1
RtlFreeHeap.NTDLL(00000000,?,00AB0367,00000000), ref: 00AB2ED8

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5dbbce08eafeb49975d090e12bdddf8e42f0c7bc476ac2bb87b79e45af97f8c9
Instruction ID: 933bc3f3e04d065fc1e51c7ae8433cefba8a213e7f3a07b2edc2c661086b0263
Opcode Fuzzy Hash: 5dbbce08eafeb49975d090e12bdddf8e42f0c7bc476ac2bb87b79e45af97f8c9
Instruction Fuzzy Hash: 54017135554284CBC724CFE4FE955A637F9F7487107408217D11A8F6B1DB3588A6CB15

Function 00AAE2C0 Relevance: 3.0, APIs: 2, Instructions: 19
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32(00000000,?,?,00AD220A,02167FFC,?,?,?,?,00AC463C), ref: 00AAE2F8
RtlAllocateHeap.NTDLL(00000000,?,00AD220A,02167FFC,?,?,?,?,00AC463C), ref: 00AAE2FF

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 8685df229c130e5bab98cf6eb83dd7d90b66e97bb6f09ad818cfe8df182b390e
Instruction ID: d38b240e5b4aaa0325c31a42f9e95403d1465b7875af6a165d2fbaffe7e27887
Opcode Fuzzy Hash: 8685df229c130e5bab98cf6eb83dd7d90b66e97bb6f09ad818cfe8df182b390e
Instruction Fuzzy Hash: 32E04F76105241AFCB08DBE9EC8DAAA33B8E704305B00401AF60FCB2A1D731A5968B90

Function 00AC3CF0 Relevance: 1.6, APIs: 1, Instructions: 120
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00AC3E0B

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 0fc9be9afef13d208e4ed4e576a10a9e5bf37d6d3f0c3993e1a3839de4ab416b
Instruction ID: 5d68d8f7527665dee92f45a0555f49b0a9643de128b70479c13bd9bad71c6a46
Opcode Fuzzy Hash: 0fc9be9afef13d208e4ed4e576a10a9e5bf37d6d3f0c3993e1a3839de4ab416b
Instruction Fuzzy Hash: 0941F272A11244DBC724EFA0FC82BE13BB5F798710F528519E641DB1B4EF7049A2CB81

Function 00AC45A9 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00AC4699

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: d873a43da5ce66e8fc535dc263128ba0ebf31213460f15ad673d52d71ea4af80
Instruction ID: 65f2dfe8a6dbf29f4b22a802dd6a7286a5307eb23e01da7e6254f5a0d637b71c
Opcode Fuzzy Hash: d873a43da5ce66e8fc535dc263128ba0ebf31213460f15ad673d52d71ea4af80
Instruction Fuzzy Hash: E311E2729112458F9724EFA0FE8A96937B0FB51345341442AE0438B279FF304513CB81

Function 00AA2800 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00AA2842

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: ec5bc7f2634977bb14df24af10010440cb4e138fcb7e0ad2457ec396913bbe51
Instruction ID: 3de15c755a340fc93687ca8d7f90b18bbd161d8d6267512c819ae42c1f63159e
Opcode Fuzzy Hash: ec5bc7f2634977bb14df24af10010440cb4e138fcb7e0ad2457ec396913bbe51
Instruction Fuzzy Hash: D5E026380012058BC314DF99DC8A8763376A744300384C10B99071B261CB38E487CF41

Function 00AAA4E0 Relevance: 1.3, APIs: 1, Instructions: 33
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 00AAA4FE

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: ee79391650abad4b9c1adb76416c567bf3dfb428d5d0f56f7f753c7df0793d32
Instruction ID: c2464474c55f0755f11a15ff4a8581c0ec47ca9e6c34dc4d28e2c60946e2e272
Opcode Fuzzy Hash: ee79391650abad4b9c1adb76416c567bf3dfb428d5d0f56f7f753c7df0793d32
Instruction Fuzzy Hash: 64F0AF71112210EFD701AFA2FD4D0E637B8FB993613818002E406DB279EF749822DB86

Non-executed Functions

Function 00AB0500 Relevance: 13.7, APIs: 9, Instructions: 170serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 00AB0537
CreateServiceA.ADVAPI32(00000000,005F4CA8,005F4CA8,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 00AB0596
ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 00AB0615
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AB062A
CloseServiceHandle.ADVAPI32(00000000), ref: 00AB06A7
OpenServiceA.ADVAPI32(00000000,005F4CA8,00000010), ref: 00AB06EB
StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 00AB072D
CloseServiceHandle.ADVAPI32(00000000), ref: 00AB073E
CloseServiceHandle.ADVAPI32(00000000), ref: 00AB07A8

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Service$CloseHandle$OpenStart$ChangeConfig2CreateManager
String ID:
API String ID: 3525021261-0
Opcode ID: c3cc900e47d022cb071874ae1be2bcd53cf6ae705b17a6e273aa7fbb2c1e5ea5
Instruction ID: fa7677326702d09e21a3c25f07ce73f60f90a04db6c905e28ef74b1ff782dc24
Opcode Fuzzy Hash: c3cc900e47d022cb071874ae1be2bcd53cf6ae705b17a6e273aa7fbb2c1e5ea5
Instruction Fuzzy Hash: A161EC31602650EFD310DFA0FC8ABA63BB4FB84B11F518515E442AB2B5DF7498A3CB46

Function 00AC9580 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 220filesleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000003E8,00000001), ref: 00AC9679
FindFirstFileA.KERNEL32(?,?), ref: 00AC97B8
DeleteFileA.KERNEL32(?), ref: 00AC98A9
FindNextFileA.KERNEL32(00000000,?), ref: 00AC98CB
FindClose.KERNEL32(00000000), ref: 00AC98E4

Strings

xI_, xrefs: 00AC96A7

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: FileFind$CloseDeleteFirstNextSleep
String ID: xI_
API String ID: 1528862845-2144098515
Opcode ID: e7170fed231a65f6a26df84ed6e38438101ed180bfa0d4a2f779730b51b543f4
Instruction ID: f3914fb718fd1826e1cc05b9453be0ef663d3185d7b338ac994b62d0ada474aa
Opcode Fuzzy Hash: e7170fed231a65f6a26df84ed6e38438101ed180bfa0d4a2f779730b51b543f4
Instruction Fuzzy Hash: 46912475901205DFC714DFB4FD86AE637B5FB98300B81C51AE9469B270EF348A92CB91

Function 00AAAF20 Relevance: 7.9, APIs: 5, Instructions: 385serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,80000000), ref: 00AAB0AA
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,?,00000024,?,?,00000000), ref: 00AAB15A
GetLastError.KERNEL32 ref: 00AAB17A
EnumServicesStatusA.ADVAPI32(00000000,00000030,00000003,00000000,?,?,?,00000000), ref: 00AAB216
CloseServiceHandle.ADVAPI32(00000000), ref: 00AAB41C

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: EnumServicesStatus$CloseErrorHandleLastManagerOpenService
String ID:
API String ID: 1579346331-0
Opcode ID: ca14e60a1135dc5bdc8803a64a4e3611256b24e9ccd0bfdd6e6c391071ea1737
Instruction ID: b9d30d35df87b63a15e9dd7a105db01ce014f49c910eb50642c1642ff7ccff18
Opcode Fuzzy Hash: ca14e60a1135dc5bdc8803a64a4e3611256b24e9ccd0bfdd6e6c391071ea1737
Instruction Fuzzy Hash: CCF188B2911201DFC724DFA4FDC96AA3BB0F799310B51851AD5429B2B5EF3088A3CF95

Function 00AB6C10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 187
registrysynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterServiceCtrlHandlerA.ADVAPI32(005F4CA8,Function_00011860), ref: 00AB6D72
SetServiceStatus.ADVAPI32(00000000,00B105F8), ref: 00AB6DD5
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00AB6DE9
SetServiceStatus.ADVAPI32(00000000,00B105F8), ref: 00AB6E8A
WaitForSingleObject.KERNEL32(00000000,00001388), ref: 00AB6EBE
SetServiceStatus.ADVAPI32(00000000,00B105F8), ref: 00AB6F2B
CloseHandle.KERNEL32(00000000), ref: 00AB6F42
SetServiceStatus.ADVAPI32(00000000,00B105F8), ref: 00AB6FAA

Strings

=ZMI, xrefs: 00AB6D10

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Service$Status$CloseCreateCtrlEventHandleHandlerObjectRegisterSingleWait
String ID: =ZMI
API String ID: 3399922960-150576250
Opcode ID: ae146f14ead6e2e973aa5c2425c7a997aa6e8e55b783edb44a0659bce73daf3a
Instruction ID: 6b3b04dee047dce54129de9b4f28f753b2bc633ccd369475407d87f71074c1f7
Opcode Fuzzy Hash: ae146f14ead6e2e973aa5c2425c7a997aa6e8e55b783edb44a0659bce73daf3a
Instruction Fuzzy Hash: C891CA70611392CFC314EFA5FDD95A63BB5F798700B81851AE4568B2B8CF7844A2CF45

Function 00AB4380 Relevance: 10.9, APIs: 7, Instructions: 387processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AB44A7
Process32First.KERNEL32(00000000,?), ref: 00AB45C2
CreateToolhelp32Snapshot.KERNEL32(00000008,?), ref: 00AB47CE
Module32First.KERNEL32(00000000,00000224), ref: 00AB4842
CloseHandle.KERNEL32(00000000,0000000A), ref: 00AB495A
Process32Next.KERNEL32(?,00000128), ref: 00AB49AD
CloseHandle.KERNEL32(00000000), ref: 00AB4A20

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseCreateFirstHandleProcess32SnapshotToolhelp32$Module32Next
String ID:
API String ID: 930127669-0
Opcode ID: b0ba545846d48338341197c4147510d0d758a68d619d0c6a444a97c07f10c3ec
Instruction ID: 01cbb54bee4b6cf869e725958ab3730d966a8eea3608ab7e188fff4b45950f54
Opcode Fuzzy Hash: b0ba545846d48338341197c4147510d0d758a68d619d0c6a444a97c07f10c3ec
Instruction Fuzzy Hash: 36F16571A01280CFD714DFA4FDC66A93BB9F788310B41851AD44A8B2B6EF3489A3CF51

Function 00AACA40 Relevance: 10.8, APIs: 7, Instructions: 345fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,?,00000000,00000003,00000000,00000000), ref: 00AACB20
ReadFile.KERNEL32(00000000,?,?,?,00000000), ref: 00AACB5D
CloseHandle.KERNEL32(00000000), ref: 00AACBBD
GetTickCount.KERNEL32 ref: 00AACC1D
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000000,00000000), ref: 00AACED4
WriteFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00AACF0E
CloseHandle.KERNEL32(00000000), ref: 00AACF47

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: File$CloseCreateHandle$CountReadTickWrite
String ID:
API String ID: 3478262135-0
Opcode ID: 3343a1a7e5f8741003cac16fe1a95529088646e0111a1c1497a2cd4011cb9d2d
Instruction ID: 39087c33b74b76ce1d7c3f72f8f0c3de7050004d153fd5d5bfa896e3028e3bf8
Opcode Fuzzy Hash: 3343a1a7e5f8741003cac16fe1a95529088646e0111a1c1497a2cd4011cb9d2d
Instruction Fuzzy Hash: 84E132B1A01240DFD304EFA4FD89AB937B4FB95720B51811AE8469B2F4EF304967CB95

Function 00AABBC0 Relevance: 10.7, APIs: 7, Instructions: 205processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AABC90
Process32First.KERNEL32(00000000,?), ref: 00AABCE3
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AABDDD

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CreateFirstOpenProcessProcess32SnapshotToolhelp32
String ID:
API String ID: 3397401024-0
Opcode ID: 9d9454c77b210ecfd90b576d3c94768a7e03ccdee0fea202d5562b955ffd6491
Instruction ID: f303e8a9a04f4a1e812f1ac28a49a55ec2faed7f09dc9134e38ece49bf234fb9
Opcode Fuzzy Hash: 9d9454c77b210ecfd90b576d3c94768a7e03ccdee0fea202d5562b955ffd6491
Instruction Fuzzy Hash: 13911175621205CFC724DFA4FCD9AAA37B9FB98310B51811AD4028B2B5DF388996CF50

Function 00AB1530 Relevance: 9.2, APIs: 6, Instructions: 176filetimeCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00AB15C3
GetFileTime.KERNEL32(00000000,?,?,?), ref: 00AB168A
CloseHandle.KERNEL32(00000000), ref: 00AB16A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AB1715
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 00AB1774
CloseHandle.KERNEL32(00000000), ref: 00AB1792

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: 912969119452d91634b8e93d3f46ded5a8801ff13677ec057cbda0b473b09739
Instruction ID: 81e67c041df22d4ec00069ea63050afff373179b509da781e93bbd261becc008
Opcode Fuzzy Hash: 912969119452d91634b8e93d3f46ded5a8801ff13677ec057cbda0b473b09739
Instruction Fuzzy Hash: 01710171A02204DFC710EFA9FCC56B97BB8FB88710B91895AE445972B5EF344866CF44

Function 00AABD08 Relevance: 7.6, APIs: 5, Instructions: 141COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AABDDD
TerminateProcess.KERNEL32(00000000,000000FF), ref: 00AABE24
CloseHandle.KERNEL32(00000000), ref: 00AABE68
Process32Next.KERNEL32(00000000,00000128), ref: 00AABF01
CloseHandle.KERNEL32(00000000), ref: 00AABF2F

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate
String ID:
API String ID: 3173823348-0
Opcode ID: 571a0a08f4f1c173af46c398a3691e2869290eeb9224dc3274069477641c4eab
Instruction ID: 228ca21b51547f68f71ed7303fab3e40426f13915614143428aa714e12325ed1
Opcode Fuzzy Hash: 571a0a08f4f1c173af46c398a3691e2869290eeb9224dc3274069477641c4eab
Instruction Fuzzy Hash: 4C512075A11205DFC724DFA4FCD9ABA37F9FB98315B11811AE4028B2B5EB348982CF50

Function 00AD5440 Relevance: 7.6, APIs: 5, Instructions: 71synchronizationthreadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD54B2
CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000), ref: 00AD54E4
CloseHandle.KERNEL32(00000000,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD551D
WaitForSingleObject.KERNEL32(?,000000FF,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD5538
CloseHandle.KERNEL32(?,?,000000FF,?,00ABE92E,00ABCA40,00000000,?), ref: 00AD554B

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseCreateHandle$EventObjectSingleThreadWait
String ID:
API String ID: 1404307249-0
Opcode ID: 407ed96c78aa5172114d202869edf0fa7a4358faaff715771a847ef1bbebc32b
Instruction ID: 6f654c5d8732999bf99500b3527c963bdc026cc2b9aaf85ef2fed62da413334a
Opcode Fuzzy Hash: 407ed96c78aa5172114d202869edf0fa7a4358faaff715771a847ef1bbebc32b
Instruction Fuzzy Hash: A631BB30A01301DBD314DFA4FC89BA27BA5FB88711F51C50AE6569F6B4EB709882CF91

Function 00ABD0F0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 352sleepfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00AD5370: CloseHandle.KERNEL32(?,00000000,?,00AB14A0,00000000,00B2AF24,00000004,00000001,00000000), ref: 00AD5398

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00ABD469
Sleep.KERNEL32(00015F90), ref: 00ABD64A
DeleteFileA.KERNEL32(?), ref: 00ABD68A

Strings

L_, xrefs: 00ABD4B2, 00ABD559

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: File$CloseDeleteHandleModuleNameSleep
String ID: L_
API String ID: 1994844100-1126815984
Opcode ID: 9b82271fa49d80b40b4c00e0acf44a0c3db024e691a1fdf5e792e83e08f7eb85
Instruction ID: c79336320199b5a750057aaea62a3e6f247b62eb8ce0636550542d30c77979cb
Opcode Fuzzy Hash: 9b82271fa49d80b40b4c00e0acf44a0c3db024e691a1fdf5e792e83e08f7eb85
Instruction Fuzzy Hash: C9E12271901201CFD714EFA8FE95AE63BB5FB84310F50851AE5068B2B9EF758893CB94

Function 00ACFA80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,00ABED48,00000000,00000000,00000000,00000008,00000000,00000000,00000044,?,?,?,?,?,?,00000000), ref: 00ACFBF1
CloseHandle.KERNEL32(00ABED48,?,?,?,?,?,00000000), ref: 00ACFC2F
CloseHandle.KERNEL32(?,?,?,?,?,?,00000000), ref: 00ACFC58

Strings

D, xrefs: 00ACFB8F

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseHandle$CreateProcess
String ID: D
API String ID: 2922976086-2746444292
Opcode ID: d31ba846d7b7ae4a78ccf8a4aa5a4d79155f4699cd3494d68560116df569977f
Instruction ID: 8227ec508b7e5568a6ad13455006c4b1223c16436e29521ca150bae4bc19ad72
Opcode Fuzzy Hash: d31ba846d7b7ae4a78ccf8a4aa5a4d79155f4699cd3494d68560116df569977f
Instruction Fuzzy Hash: 1A510D31961214DBD704EFA8FC86BB63BF5FB58711F40801AE5069B2B4EF749862CB85

Function 00AAD000 Relevance: 6.3, APIs: 4, Instructions: 269fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00AAD11A
ReadFile.KERNEL32(00000000,?,00005000,?,00000000), ref: 00AAD1CC
CloseHandle.KERNEL32(00000000,?,00000000), ref: 00AAD3EE
CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00AAD2E9

Part of subcall function 00ACFCC0: ReleaseMutex.KERNEL32(00AAD410,?,00AAD410,00000108), ref: 00ACFCE9

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CloseFileHandle$CreateMutexReadRelease
String ID:
API String ID: 1760212717-0
Opcode ID: 4d8a8c1c900746c5dae43eee8021391314254f09ee0b584a73ee2bff95a7435f
Instruction ID: 78078e2f58fd147cd1e52a7ad78edf1e46b113a718332d7462acacda160d2adc
Opcode Fuzzy Hash: 4d8a8c1c900746c5dae43eee8021391314254f09ee0b584a73ee2bff95a7435f
Instruction Fuzzy Hash: 50B156B2A11600DBC714EFA4FCC96A937B5FB94301F128456E1469B2F5EF3049A6CB41

Function 00AB2120 Relevance: 6.2, APIs: 4, Instructions: 207processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00AB21D0
Process32First.KERNEL32(00000000,00000128), ref: 00AB2257
Process32Next.KERNEL32(00000000,00000128), ref: 00AB2384
CloseHandle.KERNEL32(00000000), ref: 00AB2426

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 8a06b21e068fe4a41c50353623f250ecc4b07c9bc80c0ce26c635943a5542498
Instruction ID: 07653b86540fa4be25354f526e38c477286bc52ab27ef0ce646e5b92c5514524
Opcode Fuzzy Hash: 8a06b21e068fe4a41c50353623f250ecc4b07c9bc80c0ce26c635943a5542498
Instruction Fuzzy Hash: 2C912F71A11214CBD310DFA5FC89BE63BB8FBA4310F51811AD8429B2B5EF7489A2CF51

Function 00AB68D0 Relevance: 6.1, APIs: 4, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000000,?,?,00AB03A9,00000000,?), ref: 00AB6957
RtlReAllocateHeap.NTDLL(00000000,?,00AB03A9,00000000), ref: 00AB695E
GetProcessHeap.KERNEL32(00000000,?,?,00AB03A9,00000000,?), ref: 00AB69C8
HeapAlloc.KERNEL32(00000000,?,00AB03A9,00000000,?), ref: 00AB69CF

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: Heap$Process$AllocAllocate
String ID:
API String ID: 1154092256-0
Opcode ID: eeb0b182394d46f6f07ae004e574f1753b4bf47a68331090d8a4ff415b3e4157
Instruction ID: bcfb9d685a85ccf5dfccce8e2c22894655d74ca8990e8256cec42d2d9e20973d
Opcode Fuzzy Hash: eeb0b182394d46f6f07ae004e574f1753b4bf47a68331090d8a4ff415b3e4157
Instruction Fuzzy Hash: 4C21AC71642204DFD709EFA1FEC95A03F78F790310BA28415D586976B8EF3198A2CF50

Function 00AC0FD8 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 409COMMON

Download Yara Rule

Strings

/, xrefs: 00AC100F
XH, xrefs: 00AC153C

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID:
String ID: XH$/
API String ID: 0-571299465
Opcode ID: 11bb30fd0cc485a160661d60945ce9b7550e9ada06c69df9ac9a04a4c1f80322
Instruction ID: 30f29d76f5246cf0742cbd736db69312aa76c03980ec3b38e0752e76e2143054
Opcode Fuzzy Hash: 11bb30fd0cc485a160661d60945ce9b7550e9ada06c69df9ac9a04a4c1f80322
Instruction Fuzzy Hash: FDF1FF31A01255DFDB14EFA0FD92AFE77B8FB55310F41812AE4465B2A2EF304A56CB60

Function 00AD50E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(00AC247D,00000001,?,?,00AC247D), ref: 00AD518C
GetTickCount.KERNEL32 ref: 00AD52BE

Strings

@AB , xrefs: 00AD52CD

Memory Dump Source

Source File: 0000000B.00000002.1308960030.0000000000AA1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00AA0000, based on PE: true

Associated: 0000000B.00000002.1308943861.0000000000AA0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1308989468.0000000000AD7000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADC000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000ADE000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000AE8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B19000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309008133.0000000000B2A000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000B.00000002.1309104849.0000000000B2B000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_aa0000_idtpqzltyfy.jbxd

Similarity

API ID: CountSystemTickTime
String ID: @AB
API String ID: 2164215191-841575833
Opcode ID: 24a2a738b4c22cae69aa1b3a11c056efbf02e692ec5a609cf127a3f868102ed8
Instruction ID: 464ca0ebe48867a0cc7bfe25d646bc6206bcb08b02c0b97174d0cac2a48faeb1
Opcode Fuzzy Hash: 24a2a738b4c22cae69aa1b3a11c056efbf02e692ec5a609cf127a3f868102ed8
Instruction Fuzzy Hash: 3D51EE72A01690CFC318EFF9FDC95653BB1F7A43403458556E48A8B2B4EF749862CB85

Analysis Process: amdrhfskpcu.exePID: 916, Parent PID: 1840COMMON

Executed Functions

Function 002E7A04 Relevance: 60.1, APIs: 28, Strings: 5, Instructions: 2326sleepfilesynchronizationCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(00000000,C:\Windows\system32\config\systemprofile,00000104), ref: 002E83DA
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 002E8448
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 002E84DC
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 002E84F7
GetTickCount.KERNEL32 ref: 002E8599

Part of subcall function 002F5200: GetVersionExA.KERNEL32(0036AE70), ref: 002F52CC

Sleep.KERNEL32(00000D05), ref: 002E8B70
Sleep.KERNELBASE(000007D0), ref: 002E8DAC
GetModuleFileNameA.KERNEL32(00000000,?,00000200), ref: 002E8E86
SetFileAttributesA.KERNEL32(?,00000080), ref: 002E8E9F
CopyFileA.KERNEL32(?,?,00000000), ref: 002E8EC3
SetFileAttributesA.KERNEL32(?,00000002), ref: 002E912B
SetFileAttributesA.KERNEL32(?,00000080), ref: 002E9186
GetCommandLineA.KERNEL32 ref: 002E9265
GetModuleFileNameA.KERNEL32(00000000,?), ref: 002E9370

Part of subcall function 002EA4E0: lstrlen.KERNEL32(?), ref: 002EA4FE

Part of subcall function 002ED500: lstrlen.KERNEL32(?,?,002ED630,?), ref: 002ED523

MessageBoxA.USER32(00000000,00000004,00000005,?), ref: 002E96D4
CloseHandle.KERNEL32(00000000), ref: 002E9AC8
SetFileAttributesA.KERNEL32(?,00000080), ref: 002E9AEC
CopyFileA.KERNEL32(?,?,00000000), ref: 002E9B0C
SetFileAttributesA.KERNEL32(?,00000002), ref: 002E9B3B
Sleep.KERNEL32(000003E8), ref: 002E9C52
Sleep.KERNELBASE(000003E8), ref: 002E8CB2

Part of subcall function 002EBBC0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 002EBC90
Part of subcall function 002EBBC0: Process32First.KERNEL32(00000000,?), ref: 002EBCE3

GetCommandLineA.KERNEL32 ref: 002E86AE

Part of subcall function 002E2800: ExitProcess.KERNEL32 ref: 002E2842

Part of subcall function 003108B0: GetSystemTimeAsFileTime.KERNEL32(?), ref: 00310929
Part of subcall function 003108B0: __aulldiv.LIBCMT ref: 00310953

Sleep.KERNEL32(000007D0), ref: 002E9E32
SetFileAttributesA.KERNEL32(0032D800,00000080), ref: 002E9E88
CopyFileA.KERNEL32(?,0032D800,00000000), ref: 002E9EA6
SetFileAttributesA.KERNEL32(0032D800,00000002), ref: 002E9EC5

Part of subcall function 002F0500: OpenSCManagerA.ADVAPI32(00000000,00000000,00000002), ref: 002F0537
Part of subcall function 002F0500: CreateServiceA.ADVAPI32(00000000,00F82F68,00F82F68,000F01FF,00000110,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 002F0596
Part of subcall function 002F0500: ChangeServiceConfig2A.ADVAPI32(00000000,00000001,?), ref: 002F0615
Part of subcall function 002F0500: StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 002F062A

CreateThread.KERNEL32(00000000,00000000,Function_000222A0,00000000,00000000,00000000), ref: 002EA26A
Sleep.KERNEL32(0000C350), ref: 002EA327

Strings

@L, xrefs: 002E7E24
zS, xrefs: 002E9CD7
%Tmd, xrefs: 002E8421
C:\Windows\system32\config\systemprofile, xrefs: 002E83D4
}en, xrefs: 002E9856

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: File$Attributes$CreateSleep$CopyMutexService$CommandLineModuleNameTimelstrlen$ChangeCloseConfig2CountEnvironmentExitFirstHandleManagerMessageOpenProcessProcess32SnapshotStartSystemThreadTickToolhelp32VariableVersion__aulldiv
String ID: zS$%Tmd$C:\Windows\system32\config\systemprofile$@L$}en
API String ID: 2964372999-1718768463
Opcode ID: 7f7e3d41619524f493cea00ba05f001622d9d0522b2303e2197b68b9f50566a5
Instruction ID: 2c70e88785ffeee8a91e1cd27041cf7ff775024f2cf2c3d92bf82c8814250f97
Opcode Fuzzy Hash: 7f7e3d41619524f493cea00ba05f001622d9d0522b2303e2197b68b9f50566a5
Instruction Fuzzy Hash: A7233271A10701DFD317EF21FC8A6663BBCFB99302F51841AE446962B5EBB098A1CF51

Function 002F1530 Relevance: 9.2, APIs: 6, Instructions: 176
filetimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,00000000,00000000,00000000,00000003,00000000,00000000), ref: 002F15C3
GetFileTime.KERNEL32(00000000,?,?,?), ref: 002F168A
CloseHandle.KERNEL32(00000000), ref: 002F16A7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 002F1715
GetFileSize.KERNEL32(00000000,00000000,2AC18000,FE624E21,00989680,00000000), ref: 002F1774
CloseHandle.KERNEL32(00000000), ref: 002F1792

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: File$CloseHandle$CreateSizeTimeUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 3236713533-0
Opcode ID: a834a6c2ffb5c3b5bd7932f83624f286e34f4b5c69703c144e87b0109788b47e
Instruction ID: 3924e9bb0d65e5895845615c738ffe47f107c6a89dbc1a285cc6171fefb69cec
Opcode Fuzzy Hash: a834a6c2ffb5c3b5bd7932f83624f286e34f4b5c69703c144e87b0109788b47e
Instruction Fuzzy Hash: 2B711D71A01708DFC7139F69FC85275BBBCFB88712F21851AE545A22B4E77048A5CF84

Function 002F2120 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 002F21D0
Process32First.KERNEL32(00000000,00000128), ref: 002F2257
Process32Next.KERNEL32(00000000,00000128), ref: 002F2384
FindCloseChangeNotification.KERNELBASE(00000000), ref: 002F2426

Strings

eoj, xrefs: 002F2370, 002F237E

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
String ID: eoj
API String ID: 3243318325-2229969893
Opcode ID: 0c122588f81af79057160f5a91bba614fcc284bd36a7b6a0bd2beb8c2bdf52bc
Instruction ID: 79fdaca6aac8ec78573a35d619491c3d615fcf0bb76104e46258b1bee9a6980d
Opcode Fuzzy Hash: 0c122588f81af79057160f5a91bba614fcc284bd36a7b6a0bd2beb8c2bdf52bc
Instruction Fuzzy Hash: 4A9130B1A10314CFC327DF21FC896A677BCFB99351F11801AC842962B4EBB499A6CF51

Function 002EBD08 Relevance: 7.6, APIs: 5, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenProcess.KERNEL32(00000001,00000000,?), ref: 002EBDDD
TerminateProcess.KERNELBASE(00000000,000000FF), ref: 002EBE24
CloseHandle.KERNEL32(00000000), ref: 002EBE68
Process32Next.KERNEL32(00000000,00000128), ref: 002EBF01
CloseHandle.KERNEL32(00000000), ref: 002EBF2F

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: CloseHandleProcess$NextOpenProcess32Terminate
String ID:
API String ID: 3173823348-0
Opcode ID: 4875b03450f39bda78c1fe2ffc26c876657c989c1c79b4a2c2cac468f23615d3
Instruction ID: f3660b55adbf2a8db384aca512bc9d1032ca38d446d0b2017ddde821eeeb945a
Opcode Fuzzy Hash: 4875b03450f39bda78c1fe2ffc26c876657c989c1c79b4a2c2cac468f23615d3
Instruction Fuzzy Hash: 23510E75611305DFC72ADF21FCA5AAA37BDFB88316F55811AE40297270DB7889A2CF40

Function 002F1D90 Relevance: 4.7, APIs: 3, Instructions: 187
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00303110: WaitForSingleObject.KERNEL32(?,00004E20,?,002ED0F2,00000108), ref: 003031AD

CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 002F1E7B

Part of subcall function 0030FCC0: ReleaseMutex.KERNEL32(002ED410,?,002ED410,00000108), ref: 0030FCE9

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: CreateFileMutexObjectReleaseSingleWait
String ID:
API String ID: 1564016613-0
Opcode ID: 6358bf1fb481daa589a118b35f85218d9af38aaa86417bb329eae5be94a33740
Instruction ID: ca454b39824b8e21a80d739826545227a5ff1fa64d5cafc7e8db7572a246997d
Opcode Fuzzy Hash: 6358bf1fb481daa589a118b35f85218d9af38aaa86417bb329eae5be94a33740
Instruction Fuzzy Hash: 18714435611308DFC326CF24FC96A6A77BCFB98306F418129E905876B0DB71A961CF81

Function 003045A9 Relevance: 1.6, APIs: 1, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 00304699

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: c6d2dee58f13a95ea89e815894a188fbe7c08a4fc7b319edfb9df288a4bec7e1
Instruction ID: d1cfa845d03d277507b23587907299b2cc48d983c6ed7e5a8cdb0afdb736ad17
Opcode Fuzzy Hash: c6d2dee58f13a95ea89e815894a188fbe7c08a4fc7b319edfb9df288a4bec7e1
Instruction Fuzzy Hash: 50115772522605CFC72BBF70FE8A56137BCF755346F06842AD543862B9EB318552CB81

Function 002E2800 Relevance: 1.5, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 002E2842

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 8091086b550ecaa8dc9ec5acbc58a613e5b955ad09bffc03ea368da9771aa2d9
Instruction ID: 8a24c9f57c17c76954fddcc1a94b095409a0b3e395497fb68b3c6c2e21c2155b
Opcode Fuzzy Hash: 8091086b550ecaa8dc9ec5acbc58a613e5b955ad09bffc03ea368da9771aa2d9
Instruction Fuzzy Hash: 69E08C78064309CBC30ADF25D8969B673ADAB88304BA4C15A99169B260CB34A585DF95

Function 002EA4E0 Relevance: 1.3, APIs: 1, Instructions: 33
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(?), ref: 002EA4FE

Memory Dump Source

Source File: 00000010.00000002.3038342789.00000000002E1000.00000020.00000001.01000000.00000008.sdmp, Offset: 002E0000, based on PE: true

Associated: 00000010.00000002.3038321281.00000000002E0000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038374161.0000000000317000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000031C000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.0000000000359000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038393936.000000000036A000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.3038462624.000000000036B000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2e0000_amdrhfskpcu.jbxd

Similarity

API ID: lstrlen
String ID:
API String ID: 1659193697-0
Opcode ID: bfe6e0270e652905f05036692ecbe044f26f83f432b71a888d246d65159d5b8d
Instruction ID: 769b1e6064e0b36b1a8de68f0a43df1fe5eb66403a8c18ce8c010198d6040208
Opcode Fuzzy Hash: bfe6e0270e652905f05036692ecbe044f26f83f432b71a888d246d65159d5b8d
Instruction Fuzzy Hash: E0F0AFB1211B20EFC7035F62FD0A4A637BCFB8D362F424012E54696234EB745821DF86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mtuXDnH1Di.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\whfkpbh\euwvjohdxkkj

C:\whfkpbh\amdrhfskpcu.exe

C:\whfkpbh\euwvjohdxkkj

C:\whfkpbh\idtpqzltyfy.exe

C:\whfkpbh\qbf43feev7f7qnhdav.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
mtuXDnH1Di.exe

Function 00605200 Relevance: 30.9, APIs: 12, Strings: 5, Instructions: 1106
fileCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre